linux-cli-community icon indicating copy to clipboard operation
linux-cli-community copied to clipboard

Published 20 hours ago verified publisher icon Rafficer

[Enhancement] All releases should be signed

Open c4f3a0ce opened this issue 5 years ago • 8 comments

Since the package requires significant privileges it is only reasonable to expect that all releases will be signed, preferably using a key under control of ProtonVPN and easily verifiable.

c4f3a0ce avatar Dec 21 '19 12:12 c4f3a0ce

I don't think pip supports signatures and verification, does it?

Rafficer avatar Dec 22 '19 10:12 Rafficer

That's correct. pip doesn't provide any support for signature verification, though PyPi does support signature upload and retrieval, so it is possible to verify signature manually.

In this case I was thinking more about signing release tags - some of the releases (v.2.0.0, v2.1.0), where already signed (thanks), but it would be nice for this to be a norm. It doesn't add much overhead, but provides a bit more confidence.

c4f3a0ce avatar Dec 22 '19 22:12 c4f3a0ce

No releases are signed. The releases where you see the "verified" tag are just releases where the last commit is signed. All of my commits are signed if you check the PRs, but as soon as they get merged they aren't signed anymore (cause they are new commits then).

v2.0.0 and v2.1.0 have signed commit because I still had direct access to the master branch back then.

Rafficer avatar Dec 22 '19 22:12 Rafficer

But I guess it's best if @kaplun can say something here. I can't decide this because I don't have access to pypi anyway.

Rafficer avatar Dec 22 '19 22:12 Rafficer

Sorry, seeing this only now. Yes. This is a good point. I'll investigate how to best do this :+1:

kaplun avatar Jan 29 '20 07:01 kaplun

I am working on creating an official package for Fedora and EPEL. From a packager point-of-view, it is possible to verify GPG signatures during RPM package build time. If a signature was attached to each release, I could integrate a GPG verification into the RPM package spec.

justjwheelin avatar Mar 03 '20 21:03 justjwheelin

PGP signatures would be amazing with this package. With the Arch AUR, where we install without using pip, we can also configure the PKGBUILD to automatically verify signatures.

exprez135 avatar Apr 28 '20 17:04 exprez135

v2.2.4 is packaged in Fedora and EPEL already. v2.2.6 is on the way soon. The Fedora packages are signed with PGP signatures using Fedora's official package keys, verifying that the package is built from the original source code blobs cloned from this GitHub repository.

Some progress to involve ProtonVPN in Fedora package administration along with me is here: https://bugzilla.redhat.com/show_bug.cgi?id=1929202

justjwheelin avatar Feb 16 '21 13:02 justjwheelin