Closed user431246 closed 1 year ago
gustavo-iniguez-goya
commented
1 year ago Hello,
github releases are built on my machine and signed with my GPG key. eBPF modules are compiled on github, there's a public link where you can see the compilation log.
The github releases not only include the .spec files, but the log of each build, and a readme.txt with the checksums signed with my gpg key.
user431246
commented
1 year ago Thank you for your reply
Would you consider moving the building process over to Github? It would help in increasing the transparency/security.
gustavo-iniguez-goya
commented
1 year ago A while ago I created a Github Action on a private repo to test, build and publish deb packages, but I ran out of space after a few builds, so while it's already done, I think it won't be usable. Unless I restrict the builds to let's say 4-5 builds.
Another option would be to compile the packages on github, and reupload them to each release. That way I think it wouldn't count as used disk space. But would anyone complain that I downloaded/reuploaded the packages? (no idea if it can be automated from a github action)
Anyway, the best option is to work with your distribution to get opensnitch added to their repositories, as we've already done with Debian, Arch, and other distros.
vbooka1
commented
1 year ago Hello, where could I find your PGP key? the corresponding issue is deleted:
(update 16/12/2022: rpm packages reuploaded. Signed with gpg key - https://github.com/evilsocket/opensnitch/issues/776)
https://github.com/evilsocket/opensnitch/issues/776 returns 404 Page not found
vbooka1
commented
1 year ago gpg --keyserver pgp.rediris.es --recv-keys BCF6BE9C returns two different keys: 0x8AC7430FBCF6BE9C and 0x47F14912BCF6BE9C
is it a keyjacking attack?
gustavo-iniguez-goya
commented
1 year ago I doubt it @vbooka1 , I'm not that important (yet ;) )
see that it was added back in 2014 http://pgp.rediris.es/pks/lookup?search=0xBCF6BE9C&op=vindex
here is listed as revoked: https://pgp.mit.edu/pks/lookup?search=0x8AC7430FBCF6BE9C&op=index
Probably I didn't update it on rediris
As of now, I cannot find any good explanation on how the final releases are being packaged (RPM etc.). I can see that .spec files are provided, but there is no clear indication whether these are built using Github's infrastructure, or locally and then uploaded.