search

laurentj / slimerjs

A scriptable browser like PhantomJS, based on Firefox
http://slimerjs.org
Other
3k stars 257 forks source link

Signature should be a plain detached signature #487

Closed graingert closed 6 years ago

graingert commented 8 years ago

Currently it's not possible to check the signature of slimerjs

It should be possible to do:

ENV GPG_KEYS 7D8D8DF97FC557D9F287B1A6FB076108DBC76C05
ENV SLIMER_VERSION 0.13.11
RUN    curl -fSL https://download.slimerjs.org/releases/$SLIMER_VERSION/slimerjs-$SLIMER_VERSION.zip -o slimerjs.zip \
                 https://download.slimerjs.org/releases/$SLIMER_VERSION/slimerjs-$SLIMER_VERSION.zip.asc -o  slimerjs.zip.asc \
    && export GNUPGHOME="$(mktemp -d)" \
    && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPG_KEYS" \
    && gpg --batch --verify slimerjs.zip.asc slimerjs.zip \
    && rm -r "$GNUPGHOME" slimerjs.zip.asc \
    && unzip slimerjs.zip -d /root/ \
    && rm slimerjs.zip

However the .asc file is not a detached signature, and the key DBC76C05 has not been uploaded to a keyserver. I found it on your website, and uploaded it to pgp.mit.edu.

graingert commented 8 years ago

@laurentj you can create slimerjs-$SLIMER_VERSION.zip.sha1 and slimerjs-$SLIMER_VERSION.zip.sha1.asc files if you want people to be able to verify just the checksum

laurentj commented 8 years ago

what should contain these files ? Do you mean ".sha1" or "slimerjs.zip.sha1"?

graingert commented 8 years ago

out of interest, how does your CI work? Can you run on travis?

laurentj commented 8 years ago

slimerjs-$SLIMER_VERSION.zip.sha1.asc files if you want people to be able to verify just the checksum

Well, they can already verify the checksum. What's wrong with the method I give on this page? (except the key which was not uploaded on pgp.mit.edu, thank you :-))

Note: I don't know very well all possibilites of gpg

out of interest, how does your CI work?

I have a Strider CD instance, that run simple bash scripts. One of them launches the buildpackage.sh and launches sha256sum on zip. Note that my CI doesn't launch unit tests (yes, this bad, but I need to upgrade my server in order to launch them in a secure way, in a docker container for instance...)

Can you run on travis?

This is not acceptable for me to build packages on travis and to download them (with signatures) to my server : I don't want to give an ssh access on my server to an external service to allow it to push packages. The only thing I could accept with travis is to launch unit tests. But I didn't find time yet to configure a travis script (contributions are welcomed ;-))

graingert commented 8 years ago

I just don't see the point in using shasum for only one file, it adds an extra layer of indirection. It would make sense if you were distributing multiple files on the other hand.

graingert commented 8 years ago

This is not acceptable for me to build packages on travis and to download them (with signatures) to my server : I don't want to give an ssh access on my server to an external service to allow it to push packages. The only thing I could accept with travis is to launch unit tests. But I didn't find time yet to configure a travis script (contributions are welcomed ;-))

Of course, I don't expect you to sign them on Travis! I just want to know what you run to generate the sigs etc.

laurentj commented 6 years ago

For next releases, some .sha256 files will be generated containing only sha256 sum...