Provide Phylum public signing key for out-of-band verification

[maxrake]

Overview

Currently, the Phylum CLI binary is signed using an RSA signing key. This signature can be verified using the corresponding public key for Phylum:

$ openssl dgst -sha256 -verify signing-key.pub -signature phylum-*.zip.signature phylum-*.zip
Verified OK

However, the source of the public key (i.e., the GitHub repository) is the same as the binaries it is meant to verify. In the absence of Certificate Authorities (CAs) to confirm the signer's identity, security best practices indicate that "the public key must instead be distributed using a trusted, out-of-band mechanism."

Acceptance Criteria

• [ ] Phylum public signing key provided in an out of band channel that is also know to be controlled by Phylum

[wilfredomateo]

Hello, I'm having a hard time recreating the minisign verification. See attached error.

[cd-work]

There seems to be two issues here: One is that you're trying to verify the signature of the binary itself, while only our release artifacts (the zip files) are signed. The other is that you likely didn't download the .minisig file for those artifacts. On the releases page you should see a .minisig accompany each .zip, you need to download both and then run this command on the zip file with the .minisig in the same directory.

The documentation certainly isn't very clear on that. @kylewillmon is working on a PR to improve this.

[wilfredomateo]

Thanks. I will give that a try.

[maxrake]

@wilfredomateo! It's been a long time...glad to see you here.

PR #630 was put up today to help make the signature verification language better. Thank you for the feedback. We welcome any more that you have.

[wilfredomateo]

I'm glad to be here. Trying to learn and contribute where I can.

I took a look at the addition to quickstart.md and it is much easier to follow now. I ran the signature verification again and it works fine now. Thank you. @kylewillmon

[maxrake]

With the completion of #724, the next release of the CLI will be signed with openssl. It will also be signed with minisign, but that will be phased out over time.

This issue is still relevant because the public signing key used by openssl to verify the release artifacts is currently only hosted in the CLI GitHub repository...which is the same source as the artifacts it is meant to verify.

[kylewillmon]

This issue is still relevant because the public signing key used by openssl to verify the release artifacts is currently only hosted in the CLI GitHub repository...which is the same source as the artifacts it is meant to verify.

Issue title and description have now been edited to reflect this.