Gitea: GPG sign gitea releases on the gitea.io download page

Created on 21 Feb 2017  路  7Comments  路  Source: go-gitea/gitea
  • Gitea version (or commit ref): 1.0.2
  • Git version: 2.11.0
  • Operating system: All
  • Database (use [x]):

    • [ ] PostgreSQL

    • [x] MySQL

    • [ ] SQLite

  • Can you reproduce the bug at https://try.gitea.io:

    • [ ] Yes (provide example URL)

    • [ ] No

    • [x] Not relevant

  • Log gist: NA

Description

The title says it all. Please maintain a GPG master key with the team's trusted members and sign all gitea releases with this master keys to maintain a chain of trust. HTTPS on the download page is not enough as that is vulnerable to the case where gitea.io can be compromised.

Screenshots

NA

kinquestion
Source
picture vishnunaini

Most helpful comment

Go the manual signing way but only do it for stable releases. Since the number of stable releases is only going to be one or two a month, manual signing probably wouldn't be that much of a hassle.

picture vishnunaini on 21 Feb 2017
👍5

All 7 comments

The release process is totally automated via drone ci, so how should that work? The only manual step is the creation of the git tag.

tboerger picture tboerger on 21 Feb 2017

Make drone ci build a SHA256SUMS file with the sha256sums of all the binaries produced. Ping a core developer whenever a new release happens. The core developer should will do some verification and then sign the SHA256SUMS file a make a SHA256SUMS.gpg signature file. Upload those two files to the download server.

If you want to start somewhere let the ci itself do the gpg signing.

vishnunaini picture vishnunaini on 21 Feb 2017

I don't think that the manual steps will work out well.

tboerger picture tboerger on 21 Feb 2017

Why not add the gpg private key and signing to the ci itself? I think this can be done. Many projects use automated signing.

vishnunaini picture vishnunaini on 21 Feb 2017

Because In my opinion this looks secure but can be vulnerable

tboerger picture tboerger on 21 Feb 2017

I know that manual signing is the only true chain of trust. Automatic cannot be trusted.

vishnunaini picture vishnunaini on 21 Feb 2017

Go the manual signing way but only do it for stable releases. Since the number of stable releases is only going to be one or two a month, manual signing probably wouldn't be that much of a hassle.

vishnunaini picture vishnunaini on 21 Feb 2017
👍5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

haytona picture haytona  路  3Comments
thehowl picture thehowl  路  3Comments
mirhec picture mirhec  路  3Comments
ghost picture ghost  路  3Comments
jonasfranz picture jonasfranz  路  3Comments