ronaldtse
commented
3 years ago Fully agree @antonsviridenko , do you have time to take this on?
Closed antonsviridenko closed 1 year ago
ronaldtse
commented
3 years ago Fully agree @antonsviridenko , do you have time to take this on?
antonsviridenko
commented
3 years ago @ronaldtse now if I understand correctly, source archives are not compressed and uploaded explicitly by you or @ni4, they are generated automaticaly by GitHub, am I right?
ni4
commented
3 years ago @antonsviridenko Yep, those are created automatically once version tag is pushed to the GitHub. On the releases page we can edit tag to fill it up with data, attach files and so on. So possible ways would be to include checksum to the message, and upload signatures for both tar.gz/zip.
antonsviridenko
commented
3 years ago So first we need to generate release signing keys and publish them on a web page. Either someone responsible for releases should do that or everyone on team uses their keys so releases will have multiple signatures.
ni4
commented
1 year ago Closing this as release signing process is already formalized/keys are published.
Description
I've just realized that RNP does not have digital signatures and checksums published with each release. It is a standard and expected thing for every software project, especially security related.
This one can be used as a reference. https://gnupg.org/download/integrity_check.html
Expected Behavior
Each source archive should be accompanied by digital signature published in the same place. Download page should display links to release archives, signature files and checksums (SHA256 or other). Public keys that are used to sign releases should be published somewhere (rnpgpg.org, inside source files, release announcements in mailing lists, etc.
Also it would be nice for release tag commits to be also digitally signed.
Actual Behavior
Now there are no ways to be sure if source archives downloaded from https://github.com/rnpgp/rnp/releases are authentic.