-
Notifications
You must be signed in to change notification settings - Fork 32
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
a2462f1
commit 6ce7bfc
Showing
1 changed file
with
56 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| # Signing and Security | ||
|
|
||
| In order to ensure that downloaded binaries are not compromised we provide | ||
| two ways of checking the integrity of the downloaded files. | ||
|
|
||
| In the following the reference to "tarball" means either a `zip` or `tar.gz` file | ||
| depending on the target operating system. | ||
| If not stated otherwise "key" refers to a public/private key pair usable for public | ||
| key cryptography. | ||
|
|
||
| ## 1. `SHA512` Checksum | ||
|
|
||
| After the tarball was created, [`gpg`](https://gnupg.org/) is used to generate | ||
| the `SHA512` checksum of the tarball and put into a file called `$original_file.sha`. | ||
| The command for doing this is | ||
|
|
||
| ```bash | ||
| $ gpg --print-md SHA512 $original_file> > $original_file.sha | ||
| ``` | ||
|
|
||
| ## 2. OpenPGP Compatible ASCII Armored Detached Signatures | ||
|
|
||
| After the tarball is generated it is signed using one of the trusted developer keys. | ||
| From that an OpenPGP compatible ASCII armored detached signature is created and | ||
| put into a file `$original_file.asc`. | ||
| The command for doing this is | ||
|
|
||
| ```bash | ||
| $ gpg --armor --output $original_file.asc --detach-sig $original_file | ||
| ``` | ||
|
|
||
| ## Trusted Developer Keys | ||
|
|
||
| These keys are the ones used to sign tarballs and used to verify their integrity. | ||
|
|
||
| ### Required properties of the keys | ||
|
|
||
| * The private key MUST be stored on seperate hardware than the computer used to sign | ||
| the release. For convenience something like a [YubiKey](https://www.yubico.com/) | ||
| is recommended. | ||
| * The key must have a length of at least `2048` bits and of type RSA. | ||
| * The public key MUST be uploaded to https://pgp.mit.edu/. | ||
| * The full fingerprint MUST be listed on the distributions page. | ||
|
|
||
| ### Obtaining the public keys for verification | ||
|
|
||
| The keys fingerprints are listed on the distributions page and the public keys | ||
| can be downloaded from https://pgp.mit.edu/ using | ||
|
|
||
| ```bash | ||
| $ gpg --keyserver pgpkeys.mit.edu --recv-key $figerprint | ||
| ``` | ||
|
|
||
| ## Further Reading | ||
|
|
||
| * [Apache Release Signing Document](https://www.apache.org/dev/release-signing.html) |
6ce7bfcThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
keybase.io could be optional as well? at least keychain on ipfs is planned, could be good starter to use distributed identity as well. May use something from Bitcoin
6ce7bfcThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to involve as little third parties as possible for now. I would love to add ipfs keychain support when it's ready for sure.