search

erlang / otp

Erlang/OTP
http://erlang.org
Apache License 2.0
11.33k stars 2.94k forks source link

Sign releases #6710

Open stephencroberts opened 1 year ago

stephencroberts commented 1 year ago

Is your feature request related to a problem? Please describe.

As a best practice for automated installations, releases downloaded from the internet really should be signed and verified using the publisher's public key. HashiCorp is a great example of doing this well: https://www.hashicorp.com/security#release-archive-checksum-verification. It's not entirely unlikely to end up downloading a release and checksums from an attacker and installing a compromised package.

With HashiCorp, I include their public key file as part of the automation which allows me to safely download releases/checksums and have confidence I have the right package, assuming that I safely retrieved their public key initially (which is hard to completely guarantee) and that their private key hasn't been compromised.

We are currently writing an authentication service in erlang and would like to automate our erlang installation, including upgrades to new versions, and have confidence that it hasn't been compromised.

Describe the solution you'd like

I would like for Ericsson (or someone) to sign releases and publish the corresponding signatures as well as the public key.

Describe alternatives you've considered

The best alternative available for automation is to rely on the checksums which makes it impossible to automatically upgrade erlang versions as the checksums must be manually retrieved to have at least a little bit of security.

Additional context

I'm happy to help any way I can, although this is probably something I can't contribute to.

okeuday commented 1 year ago

@stephencroberts The checksum can be retrieved automatically using https://github.com/erlang/otp/releases/download/TAG/SHA256.txt where TAG is the git tag used for the release version.

stephencroberts commented 1 year ago

@okeuday For sure, but checksums unfortunately don't provide cryptographic security. If an attacker can man-in-the-middle or otherwise compromise the package being transmitted over the internet, they can calculate correct checksums as well. As far as I'm aware, signatures are the primary way to guarantee the release and checksums have not been tampered with.

Do you think it's feasible for erlang to have a similar setup as HashiCorp?