search

cisco / libsrtp

Library for SRTP (Secure Realtime Transport Protocol)
Other
1.21k stars 474 forks source link

Cryptographic signed commits and releases #288

Open jonassmedegaard opened 7 years ago

jonassmedegaard commented 7 years ago

It would be great if there were electronic signatures (OpenPGP/etc) of all git commits and tags and any zip files or tarballs you release, so that distributors and users can verify the source code came from authors of this project and wasn't modified by github or network attackers.

https://mikegerwitz.com/papers/git-horror-story https://github.com/blog/2144-gpg-signature-verification https://wiki.debian.org/Creating%20signed%20GitHub%20releases https://wiki.debian.org/debian/watch#Cryptographic_signature_verification

thisisG commented 7 years ago

Will discuss! Thanks for the report!

jonassmedegaard commented 7 years ago

I have wanted to suggest this for some time, but lacked references.

For the record, I stole most of the text from this email post by fellow Debian developer Paul Wise: http://lists.alioth.debian.org/pipermail/pkg-fonts-devel/2017-March/019303.html

pabuhler commented 6 years ago

@jonassmedegaard, for the next release (2.2) we will try to create a signed release based on the steps in https://wiki.debian.org/Creating%20signed%20GitHub%20releases. The key id that will be used, at least initially is EF76B4CDB2A6BF541985C48CE70913DF61445490, available from pool.sks-keyservers.net . I just wanted to inform you now in case you have some input?

jonassmedegaard commented 6 years ago

Quoting Pascal Bühler (2017-10-27 12:29:05)

@jonassmedegaard, for the next release (2.2) we will try to create a signed release based on the steps in https://wiki.debian.org/Creating%20signed%20GitHub%20releases.

Awesome!

The key id that will be used, at least initially is EF76B4CDB2A6BF541985C48CE70913DF61445490, available from pool.sks-keyservers.net . I just wanted to inform you now in case you have some input?

I am new to release signing myself, so cannot spot flaws in the procedures ahead of time.

Suggestion: Make a prerelease and sign that as well. I'd be happy to package that (for Debian experimental) with signature check enabled, so that when you do the final release we check that the signature of the previous (pre)release matches that of the final one.

In any case, if signing is flawed then simply correct it for next release :-)

--