Start adding .asc signature files for tar files to validate signature

nodejs / node

Node.js JavaScript runtime ✨🐢🚀✨

https://nodejs.org

Other

106.54k stars 29.04k forks source link

Start adding .asc signature files for tar files to validate signature #53917

Open omarismail94 opened 1 month ago

omarismail94 commented 1 month ago

What is the problem this feature will solve?

Right now, node uses SHA256 checksums to verify published artifacts like tars. Signatures offer stronger security. Some packages already do this like Yarn: https://github.com/yarnpkg/yarn/releases/tag/v1.22.17

What is the feature you are proposing to solve the problem?

Start adding .asc signature files in index (e.g. https://nodejs.org/download/release/v16.20.2/)

What alternatives have you considered?

No response

RedYetiDev commented 1 month ago

@nodejs/releasers this is your area, right?

richardlau commented 1 month ago

We already sign the SHASUMS256.txt file. e.g. https://nodejs.org/download/release/v16.20.2/SHASUMS256.txt.asc

omarismail94 commented 1 month ago

Im using gradle to verify the dependencies and downloading the SHASUM256.txt.asc and placing it with the tar artifacts did not work. I then renamed the file to node-16.20.2-darwin-arm64.tar.gz.asc and kept only the PGP Signature, and added the full fingerprint id of the key to the verifcations-metadata.xml file but Gradle still failed to verify the dependency.

I also get the following when I run gpg:

gpg --verify  node-16.20.2-darwin-arm64.tar.gz.asc 
gpg: assuming signed data in '../../prebuilts/androidx/external/org/nodejs/node/16.20.2/node-16.20.2-darwin-arm64.tar.gz'
gpg: Signature made Wed  9 Aug 17:40:10 2023 BST
gpg:                using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpg: BAD signature from "RafaelGSS <rafael.nunu@hotmail.com>" [expired]

richardlau commented 1 month ago

I also get the following when I run gpg:

gpg --verify  node-16.20.2-darwin-arm64.tar.gz.asc 
gpg: assuming signed data in '../../prebuilts/androidx/external/org/nodejs/node/16.20.2/node-16.20.2-darwin-arm64.tar.gz'
gpg: Signature made Wed  9 Aug 17:40:10 2023 BST
gpg:                using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpg: BAD signature from "RafaelGSS <rafael.nunu@hotmail.com>" [expired]

@RafaelGSS was going to reupload his key (with extended expiry). However note that that signing key had not expired at the time Node.js 16.20.2 was released (August 2023) and signed.

omarismail94 commented 1 month ago

The checksum file is nice for manual validation, however for an automated signature checking with a tool like Gradle it does not help at all (or I haven't found a way yet). It'd be great if we can have per platform file armored files to enable automated signature verification when downloading the artifact

RafaelGSS commented 1 month ago

It should be solved now