-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenPGP signatures for releases #281
Comments
This is just my soapbox but I created https://github.com/cgwalters/git-evtag long, long before the xz fiasco was a reality. I think what we should sign and what people should build by default is from the git commit. Which nowadays, can be signed with SSH signatures (the same one people use to push, which need to be maintained). OpenPGP and trust chains and maintaining keys is just...well, a whole distinct thing. So what do you think about that? We just stop publishing pre-generated tarballs here, and if you want integrity, fetch the tagged release git commit which should be signed with e.g. git-evtag. |
We don't really have integration for git-evtag in our package tooling as of yet, so I am not sure whether your proposed scheme will work for validation or not. Would we need git-evtag for validation? We are able to create checksums for the contents of a given git object (can be a commit or tag object). In a way that is similar to what git-evtag achieves (as we usually aim for sha512 or b2 sums). That said, the OpenPGP signature also has value for us, but for different reasons: To ensure a trust path between releases. This ticket exists, because the trust path validation is a separate topic from source checksum validation and I would like to find out whether I can rely on it or not (which depends on the project).
I have no particular feeling about pre-generated tarballs (if anything I avoid them at all costs already anyways). This is really up to you as a project.
This still leaves my question open about whether this project is able/ wants to uphold an OpenPGP trust path for releases or not. |
@cgwalters As an additional data point, I would like to point out that - to me - this interaction feels a bit like a non-answer, given that I got a similar reply in ostree in 2021 (see ostreedev/ostree#2349) and ever since that ticket has been stalling. I understand that these things are not necessarily high priority for a team working on a project. Coming to a conclusion would be great though (specifically wrt to the particular issues raised) as this helps me to either close a topic or implement a solution for it. |
I took the liberty to check what vendors currently consider "the source code of composefs 1.0.3" and there's two different artifacts at the moment:
There's a diff available. Note the content of @dvzrv is asking for a signature on the Any kind of pre-processing of the VCS source code needs to happen on Arch Linux build servers to be secured by Arch Linux reproducible builds infrastructure. If you prefer ssh signing or cosign Arch Linux can integrate with this in the |
No, I am asking whether this upstream is willing to uphold a trust path going forward (see #281 (comment)) and whether the currently used OpenPGP key can be exchanged for a new one.
|
Honestly, I don't really think we have a defined process here. I just sort of by default sign release tags with my (admittedly ancient) gpg key. So, no, at this point I don't think I don't think you can robustly rely on use upholding a trust path for every release. Maybe in the future we can make a project-wide decision here. That said, I will at least try to update my personal key to a larger one. |
I understand and that's entirely fine :)
If you do, please ping me! :) Feel free to keep this ticket open until then or close and re-open (or whatever suits best). |
I'll close this for now |
Hi! 馃憢
I'm currently en-route packaging this project for Arch Linux, as we need it for latest ostree.
If available, we usually also want to rely on OpenPGP signature verification on top of checksum validation of sources.
To not run into issues later, I would like to make sure you are providing OpenPGP signatures intentionally and are also interested in providing a trust path between releases for this project (as without trust path guarantees I will not consider using OpenPGP for signature verification).
Further, I would like to point out that the key currently in use (
6A2B067FB5E17A1A3FC8A0DAEB6216DDB76C70E9
) relies on unsafe cryptographic mechanisms (DSA1024). As the key material can be considered forgeable, I am currently not considering it for OpenPGP signature verification. It would be great if you could create a new one, cross-sign it with your old one and then permanently move to the new one.In regards to trust path between releases:
@alexlarsson you seem to be the only person creating releases for this project so far.
Are there plans for others to also create releases (which is usually a good idea, given bus factor and all)? If so, are you planning to provide a trust path between releases up front?
By trust path between releases I mean one of:
Thank you for your time! 馃檱
The text was updated successfully, but these errors were encountered: