[FEATURE] Signature verification using minisign

minio / docs

MinIO Object Storage Documentation

https://docs.min.io/minio/baremetal

Creative Commons Attribution 4.0 International

547 stars 299 forks source link

[FEATURE] Signature verification using minisign #1194

Open elchenberg opened 5 months ago

elchenberg commented 5 months ago

Is your feature request related to a problem? Please describe.

I install the MinIO client using binary from the MinIO download page, similar to what is described here: https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart

I would like to verify the signature using minisign. I found the public key in this old issue #382 and it still works.

I wonder where to check for the new official public key if it ever changes and my installation script breaks.

Describe the solution you'd like

To quote from #382:

This key should be uploaded to https://dl.min.io/ and some information about signature verification should be added to documentation.

I would be happy to do the second part of adding information about signature verification to the documentation.

Describe alternatives you've considered

Additional context

ravindk89 commented 5 months ago

Hm - @harshavardhana , @kannappanr - Do we have somewhere we stash the pubkey for verification purposes?

elchenberg commented 5 months ago

For example, I think RabbitMQ has a very good documentation regarding their signing keys and how to verify the signatures: https://www.rabbitmq.com/docs/signatures

djwfyi commented 5 months ago

See https://github.com/minio/minio/pull/16857

Per that PR, the minisign pubkey is maintained here: https://github.com/minio/minio/blob/77d5331e85962f5e00459c98f16137181ba08180/cmd/update.go#L555

elchenberg commented 5 months ago

Would it be okay if I open a PR in the minio/pkger repository to add documentation on how to verify checksums and signatures of the downloaded binaries? Or should I open an issue over there to ask this question? :slightly_smiling_face:

It looks to me as if this is used to generate this page: https://min.io/download

ravindk89 commented 5 months ago

One step at a time - we're looking to see if we can get the public key placed in a well known spot.

From there we can update both the web docs and, as necessary, the Download page to discuss signature verification. It may require us first updating the website to ensure we maintain a certain flow to the page.

We appreciate your enthusiasm though :)

elchenberg commented 5 months ago

Sounds good! There is no urgency from my side. Sorry that I have been pushy (unintentionally). I just did not want to demand changes without offering my help. :slightly_smiling_face:

ravindk89 commented 5 months ago

No worries - we are deeply grateful for your engagement

ravindk89 commented 1 month ago

@harshavardhana @kannappanr ping on this, I know it's not the highest priority but it would be great to get the minisign key into dl.min.io somewhere