Open omarismail94 opened 1 month ago
@nodejs/releasers this is your area, right?
We already sign the SHASUMS256.txt file. e.g. https://nodejs.org/download/release/v16.20.2/SHASUMS256.txt.asc
Im using gradle to verify the dependencies and downloading the SHASUM256.txt.asc
and placing it with the tar artifacts did not work. I then renamed the file to node-16.20.2-darwin-arm64.tar.gz.asc
and kept only the PGP Signature, and added the full fingerprint id of the key to the verifcations-metadata.xml file but Gradle still failed to verify the dependency.
I also get the following when I run gpg:
gpg --verify node-16.20.2-darwin-arm64.tar.gz.asc
gpg: assuming signed data in '../../prebuilts/androidx/external/org/nodejs/node/16.20.2/node-16.20.2-darwin-arm64.tar.gz'
gpg: Signature made Wed 9 Aug 17:40:10 2023 BST
gpg: using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpg: BAD signature from "RafaelGSS <rafael.nunu@hotmail.com>" [expired]
I also get the following when I run gpg:
gpg --verify node-16.20.2-darwin-arm64.tar.gz.asc gpg: assuming signed data in '../../prebuilts/androidx/external/org/nodejs/node/16.20.2/node-16.20.2-darwin-arm64.tar.gz' gpg: Signature made Wed 9 Aug 17:40:10 2023 BST gpg: using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 gpg: BAD signature from "RafaelGSS <rafael.nunu@hotmail.com>" [expired]
@RafaelGSS was going to reupload his key (with extended expiry). However note that that signing key had not expired at the time Node.js 16.20.2 was released (August 2023) and signed.
The checksum file is nice for manual validation, however for an automated signature checking with a tool like Gradle it does not help at all (or I haven't found a way yet). It'd be great if we can have per platform file armored files to enable automated signature verification when downloading the artifact
It should be solved now
What is the problem this feature will solve?
Right now, node uses SHA256 checksums to verify published artifacts like tars. Signatures offer stronger security. Some packages already do this like Yarn: https://github.com/yarnpkg/yarn/releases/tag/v1.22.17
What is the feature you are proposing to solve the problem?
Start adding .asc signature files in index (e.g. https://nodejs.org/download/release/v16.20.2/)
What alternatives have you considered?
No response