-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Setup code signing for all packages using opgenpgp #51
Conversation
|
||
You will need to download the public key of the release managers, which are currently, | ||
|
||
* Friedel Ziegelmayer <dignifiedquire@gmail.com> [`27F50659`](https://pgp.mit.edu/pks/lookup?search=0x27F50659&op=vindex&fingerprint=on). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to have full fingerprint here. Short ones are not so good any more.
sure, curious why are they not good anymore? |
There is a list of keys for all short fingerprints generated, if someone will not look at the name and email there is a chance he will download a wrong one from the keyserver. |
thanks @Kubuxu will update with this in mind |
Would be nice to have multiple sigs here (like say @whyrusleeping and i both signing off to a release) |
@dignifiedquire thank you for leading the charge here! 👍 ❤️ |
@jbenet yes need more sigs for sure, but I don't have yours lying around ;) So @jbenet @whyrusleeping please make a PR adding your sigs in here, preferably from a key on your yubikey |
TODO from my side, write up general strategy for review |
@jbenet added first draft of a security doc describing the different parts. |
* The private key MUST be stored on seperate hardware than the computer used to sign | ||
the release. For convenience something like a [YubiKey](https://www.yubico.com/) | ||
is recommended. | ||
* The key must have a length of at least `2048` bits and of type RSA. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know that generally keys above 4096
should be used, but right now I haven't found a way to generate those keys on my yubikey. So if someone knows how please let me know and we can increase this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only Yubikey 4 and 4 Nano support RSA 4096
and even not all of them IIRC.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use Neo which supports only 2048.
LGTM. |
In order to ensure that downloaded binaries are not compromised we provide | ||
two ways of checking the integrity of the downloaded files. | ||
|
||
In the following the reference to "tarball" means either a `zip` or `tar.gz` file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use "archive"
Recently, there has been discussion in other repos about creating source tarballs that could be built offline due to various connection issues (lost hash, geographic censorship). These releases will have to be signed for user saftey if they are to be ferried by third parties across various boundaries. As such, I simply want to pulse an alert on this issue due to its age and significance. |
@Stebalien should we pick this up? |
That would be awesome! Note: I think a higher priority is a way to update dists without having to fetch and re-add everything if you're looking to improve dists. |
Closing as stale. |
Update: Added process references
Update: Added sha512 checksums
I've setup a pgp on my yubikey that is used for the code signing process. This process generates pgp signatures for every single tar/zip file and adds them to directory. As in the description explained they can be verified by running
if the key is present.
Ref ipfs/kubo#957
References
Key Management
Setup
Verification
Checksums
In addition to the signatures there are also
file.sha
files containing thesha512
checksum of the packages.