feat: Setup code signing for all packages using opgenpgp #51
Conversation
|
|
||
| You will need to download the public key of the release managers, which are currently, | ||
|
|
||
| * Friedel Ziegelmayer <dignifiedquire@gmail.com> [`27F50659`](https://pgp.mit.edu/pks/lookup?search=0x27F50659&op=vindex&fingerprint=on). |
There was a problem hiding this comment.
It would be better to have full fingerprint here. Short ones are not so good any more.
|
sure, curious why are they not good anymore? |
|
There is a list of keys for all short fingerprints generated, if someone will not look at the name and email there is a chance he will download a wrong one from the keyserver. |
|
thanks @Kubuxu will update with this in mind |
|
Would be nice to have multiple sigs here (like say @whyrusleeping and i both signing off to a release) |
|
@dignifiedquire thank you for leading the charge here! 👍 ❤️ |
|
@jbenet yes need more sigs for sure, but I don't have yours lying around ;) So @jbenet @whyrusleeping please make a PR adding your sigs in here, preferably from a key on your yubikey |
|
TODO from my side, write up general strategy for review |
ghost
mentioned this pull request
|
@jbenet added first draft of a security doc describing the different parts. |
| * The private key MUST be stored on seperate hardware than the computer used to sign | ||
| the release. For convenience something like a [YubiKey](https://www.yubico.com/) | ||
| is recommended. | ||
| * The key must have a length of at least `2048` bits and of type RSA. |
There was a problem hiding this comment.
I know that generally keys above 4096 should be used, but right now I haven't found a way to generate those keys on my yubikey. So if someone knows how please let me know and we can increase this.
There was a problem hiding this comment.
Only Yubikey 4 and 4 Nano support RSA 4096 and even not all of them IIRC.
There was a problem hiding this comment.
We use Neo which supports only 2048.
|
LGTM. |
| In order to ensure that downloaded binaries are not compromised we provide | ||
| two ways of checking the integrity of the downloaded files. | ||
|
|
||
| In the following the reference to "tarball" means either a `zip` or `tar.gz` file |
ghost
mentioned this pull request
ghost
mentioned this pull request
|
Recently, there has been discussion in other repos about creating source tarballs that could be built offline due to various connection issues (lost hash, geographic censorship). These releases will have to be signed for user saftey if they are to be ferried by third parties across various boundaries. As such, I simply want to pulse an alert on this issue due to its age and significance. |
|
@Stebalien should we pick this up? |
|
That would be awesome! Note: I think a higher priority is a way to update dists without having to fetch and re-add everything if you're looking to improve dists. |
|
Closing as stale. |
Update: Added process references
Update: Added sha512 checksums
I've setup a pgp on my yubikey that is used for the code signing process. This process generates pgp signatures for every single tar/zip file and adds them to directory. As in the description explained they can be verified by running
if the key is present.
Ref ipfs/kubo#957
References
Key Management
Setup
Verification
Checksums
In addition to the signatures there are also
file.shafiles containing thesha512checksum of the packages.