Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPG signature / checksums for released artifacts should be provided. #2867

Open
bahner opened this issue Sep 29, 2024 · 2 comments
Open

GPG signature / checksums for released artifacts should be provided. #2867

bahner opened this issue Sep 29, 2024 · 2 comments
Labels
need/author-input Needs input from the original author need/triage Needs initial labeling and prioritization

Comments

@bahner
Copy link

bahner commented Sep 29, 2024

Hepp!

I have no way of verifying that that the released artifacts, eg. ipfs-desktop-0.38.0-linux-amd64.deb is actually provided by you. At the very least the checksums should be provided and the list of checksums should be signed.

Preferably the artfacts should be properly signed when possible :-)
@bahner bahner added the need/triage Needs initial labeling and prioritization label Sep 29, 2024
@welcome Welcome
Copy link

welcome bot commented Sep 29, 2024

Thank you for submitting your first issue to this repository! A maintainer will be here shortly to triage and review.
In the meantime, please double-check that you have provided all the necessary information to make this process easy! Any information that can help save additional round trips is useful! We are triaging issues on weekly basis and aim to give initial feedback within a few business days. If this does not happen, feel free to leave a comment.
Please keep an eye on how this issue will be labeled, as labels give an overview of priorities, assignments and additional actions requested by the maintainers:

  • "Priority" labels will show how urgent this is for the team.
  • "Status" labels will show if this is ready to be worked on, blocked, or in progress.
  • "Need" labels will indicate if additional input or analysis is required.

Finally, remember to use https://discuss.ipfs.tech if you just need general support.

@lidel
Copy link
Member

lidel commented Oct 16, 2024
edited
Loading

@bahner why you need checksums? what is the threat model you are protecting yourself against?

Right now, the release artifacts are built by GitHub CI and then attached to GitHub Release without a human intervention.
Checksums would be generated and hosted in the same place, making no difference to your security profile.

With this status quo, release tag is created by CI job, so dev can't sign it. Also, if you dont trust prebuilt binaries from github.com, you should checkout code, audit it, and build it yourself.

Of course nothing is set in stone: we are open to suggestions how this state could be improved, but we need to be sure there is an actual value added to end users, and we don't introduce maintenance costs without real world benefit.

@lidel lidel added the need/author-input Needs input from the original author label Oct 16, 2024
@lidel lidel mentioned this issue Oct 17, 2024
Closed
@lidel lidel changed the title Checksums for released artifacts should be provided. GPG signature / checksums for released artifacts should be provided. Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
need/author-input Needs input from the original author need/triage Needs initial labeling and prioritization
Projects
No open projects
IPFS-GUI (PL EngRes)
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lidel @bahner