Open elchenberg opened 5 months ago
Hm - @harshavardhana , @kannappanr - Do we have somewhere we stash the pubkey for verification purposes?
For example, I think RabbitMQ has a very good documentation regarding their signing keys and how to verify the signatures: https://www.rabbitmq.com/docs/signatures
See https://github.com/minio/minio/pull/16857
Per that PR, the minisign pubkey is maintained here: https://github.com/minio/minio/blob/77d5331e85962f5e00459c98f16137181ba08180/cmd/update.go#L555
Would it be okay if I open a PR in the minio/pkger repository to add documentation on how to verify checksums and signatures of the downloaded binaries? Or should I open an issue over there to ask this question? :slightly_smiling_face:
It looks to me as if this is used to generate this page: https://min.io/download
One step at a time - we're looking to see if we can get the public key placed in a well known spot.
From there we can update both the web docs and, as necessary, the Download page to discuss signature verification. It may require us first updating the website to ensure we maintain a certain flow to the page.
We appreciate your enthusiasm though :)
Sounds good! There is no urgency from my side. Sorry that I have been pushy (unintentionally). I just did not want to demand changes without offering my help. :slightly_smiling_face:
No worries - we are deeply grateful for your engagement
@harshavardhana @kannappanr ping on this, I know it's not the highest priority but it would be great to get the minisign key into dl.min.io somewhere
Is your feature request related to a problem? Please describe.
I install the MinIO client using binary from the MinIO download page, similar to what is described here: https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart
I would like to verify the signature using
minisign
. I found the public key in this old issue #382 and it still works.I wonder where to check for the new official public key if it ever changes and my installation script breaks.
Describe the solution you'd like
To quote from #382:
I would be happy to do the second part of adding information about signature verification to the documentation.
Describe alternatives you've considered
Additional context