bazelisk
bazelisk copied to clipboard
bazelbuild
Authenticate releases using the embedded verification key.
Sample output:
2020/10/29 22:54:04 Downloading https://releases.bazel.build/3.7.0/release/bazel-3.7.0-linux-x86_64...
2020/10/29 22:54:06 Signed by Bazel Developer (Bazel APT repository key) <[email protected]>
Thank you @PiotrSikora! I was on vacation - will look into this PR this week!
This looks really nice, thank you! It's great that we don't need to call gnupg to verify the signature and the code is very clean.
The only thing I'm wondering - what will happen when the embedded key expires? In the past this meant we had to extend the key and then everyone had to reimport the extended one into their GnuPG keychain (see https://groups.google.com/g/bazel-discuss/c/XzeKUSkMCDk/m/GiOj6ariEgAJ for some former discussion).
Would it mean that older Bazelisk releases will suddenly fail to fetch Bazel releases until we update the embedded key and users update to a newer version? 🤔
The only thing I'm wondering - what will happen when the embedded key expires? In the past this meant we had to extend the key and then everyone had to reimport the extended one into their GnuPG keychain (see https://groups.google.com/g/bazel-discuss/c/XzeKUSkMCDk/m/GiOj6ariEgAJ for some former discussion).
Would it mean that older Bazelisk releases will suddenly fail to fetch Bazel releases until we update the embedded key and users update to a newer version? 🤔
Effectively, yes. They could always update Bazelisk to get the new key, or you could embed multiple public keys and do a rolling update, but that requires knowing the "next" key ahead of time.
A bit longer solution would be to redesign the signing infrastructure to use subkeys for signatures and rotate it periodically (see: https://www.gnupg.org/gph/en/manual/c481.html) and have the primary key without expiration date. It doesn't really serve anybody if the primary signing key is changed every year or two.
Thanks for the explanation!
Unfortunately we're deep in "I have no idea what I'm actually doing here, except copy & pasting various GnuPG command-lines from the internet and hope they will fix whatever is broken" territory when it comes to our code signing stuff and every time I have to extend the lifetime of the key, I just hope it doesn't break everything. 😬
I'll read up about GnuPG best practices in the next weeks, something I always wanted to do. If it's OK with you, I'd leave this PR open just a bit longer, while I figure out how we want to handle our signing key - from the code and feature side, this is very much great and ready to merge imho :) Thank you for this!
As independent verification I rebased this patch against v.11.0 and it works:
2021/12/17 21:45:09 Downloading https://releases.bazel.build/4.2.2/rc1/bazel-4.2.2rc1-linux-x86_64...
2021/12/17 21:45:10 Signed by Bazel Developer (Bazel APT repository key) <[email protected]>
The only real change was getClient().Get(signatureURL) to get(signatureUrl, "").
