Aleksoid1978
commented
5 months ago Not planned.
Closed jermanuts closed 5 months ago
Aleksoid1978
commented
5 months ago Not planned.
jermanuts
commented
5 months ago Hello, can you elaborate?
Almost everyday some infrastructure is compromised and goes unnoticed because the lack of PGP signing. https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises
One example is Monero, they signed their releases, so after they infrastructure got compromised, users where able to find it out and report to the Monero team https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html. It would have gone for a while without anyone realizing that the binaries were compromised, not even the monero team.
Many big and small orgs/projects are doing so:
1) https://infra.apache.org/release-signing 2) https://docs.opendev.org/opendev/system-config/latest/signing.html 3) https://wiki.debian.org/Subkeys 4) https://www.debian.org/CD/verify 5) https://riseup.net/en/security/message-security/openpgp/best-practices 6) https://docs.featherwallet.org/guides/windows#verifying-the-download 7) https://github.com/qbittorrent/qBittorrent#public-key
Signing releases with your PGP key ensures that releases submitted are authentic and not compromised.
Reference: https://github.com/libusb/libusb/issues/1469