aelamrani
commented
5 years ago Hi @blackillzone
Are the md5/sha1 files not sufficient to make such control?
Open blackillzone opened 5 years ago
aelamrani
commented
5 years ago Hi @blackillzone
Are the md5/sha1 files not sufficient to make such control?
blackillzone
commented
5 years ago Hello,
Hash control is good to verify integrity (and be sure that the downloaded archives is not corrupted for example).
But a PGP signature will add a validation about the origin of the package, and that it has been built by Gravitee.
Let's assume that your distribution server is Apache or Nginx, and that a 0 day coming out. With only sha1/md5, everyone can generate it, and then using this zero day to replace your packages, and distribute a modified one, which contains malicious code.
With PGP signature, an attacker need to access to your build system (which I assume is far less exposed that your distribution server), in order to sign the package with your key. It's far more difficult to accomplish.
I don't know if I'm explaining it well, but adding PGP signature will assure us that the package come from Gravitee build system, and not from somewhere else, and avoid automatic builds to deploy unsigned packages, and potential malicious code.
Hello Gravitee Team,
In order to ensure trust, even more in automatic release/building (for docker mainly), it would be nice if the distributed packages under https://download.gravitee.io/graviteeio-apim/distributions/ will be distributed with PGP signature (or any other relevant sign mechanism)
This way, it will be possible to add origin verification, with a public key (and be sure that the package come from your building factory, and not from somewhere else).
Lot of FOSS project already add an .asc file to their release, for example: MogoDB: https://www.mongodb.org/dl/linux/x86_64-ubuntu1604 Elastic: https://www.elastic.co/downloads/elasticsearch
What do you think about this ? Can it be something added to your build process ?
Thank you !