asdf-community / asdf-zig

Zig plugin for the asdf version manager
https://github.com/asdf-vm/asdf
Apache License 2.0
48 stars 12 forks source link

Minisign / Signify Cryptographic Verification Missing #6

Open hendursaga opened 1 year ago

hendursaga commented 1 year ago

Provide environment information

N/A

To Reproduce

N/A

Describe the Bug

Since 0.10.1, Zig releases have been cryptographically signed using https://jedisct1.github.io/minisign/ which I believe is compatible with OpenBSD's signify and the various ports to other systems. The public key, which you can find at either https://github.com/ziglang/zig/releases/tag/0.11.0 or https://github.com/ziglang/zig/releases/tag/0.10.1, is RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U. I am not sure if any other asdf plugin has already implemented minisign / signify support yet. I do not recall any "standard" location for the public keys to go, so maybe something asdf-specific, like how we store PGP public keys, in a private, plugin-specific keyring.

Expected Behaviour

Some additional assurance that the binaries downloaded are not tampered with.