gitlab-ci-local icon indicating copy to clipboard operation
gitlab-ci-local copied to clipboard
verified publisher icon firecow

Consider signing releases

Open ottok opened this issue 11 months ago • 4 comments

Thanks for maintaining gitlab-ci-local!

This project uses rich releases at https://github.com/firecow/gitlab-ci-local/releases. Could you please consider also offering signatures alongside the tar.gz and other artifacts in your releases?

It is good practice in open source projects to publish cryptographic signatures alongside the tarball source releases, so that e.g. Linux distributions and other downstreams can use OpenPGP to verify the authenticity of the imported release.

This is not a hard requirement, just nice to have. Managing OpenPGP keys securely requires some effort. A good guide on the topic can be found at https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md/

ottok avatar Jan 05 '25 09:01 ottok

Please provide a code block that signs and creates the right stuff in https://github.com/firecow/gitlab-ci-local/blob/master/publish-deb.

I already have a PGP key that I use to publish to the debian repository.

firecow avatar Jan 05 '25 10:01 firecow

The publish-deb seems to be only about generating Debian packages, and the script seems correct.

Currently, the assets your GitHub releases announces are:

Where are these generated?

If I would generate these myself manually I would use the commands:

$ curl -LO https://github.com/firecow/gitlab-ci-local/archive/refs/tags/4.56.2.tar.gz
$ gpg -b --armor 4.56.2.tar.gz
gpg: using "CEE8DA88" as default secret key for signing
$ head 4.56.2.tar.gz.asc
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEmbRSsR88dMO0U+RvvthEn87o2ogFAmd69aAACgkQvthEn87o
2oinKA/+Jwn0BvmI8rnZfL5wab7CjLkchV1qr1wafOn+Ji/CrXDgiUILsTnWNZ/i
...

..but of course I can't reliably verify that curl gave me the authentic sources

ottok avatar Jan 05 '25 21:01 ottok

Ah, the gz files are generated here https://github.com/firecow/gitlab-ci-local/blob/master/package.json#L12

firecow avatar Jan 06 '25 08:01 firecow

Those lines look like they create the binaries. I guess the source .tar.gz is directly generated from GitHub. Maybe one can run locally git archive --format=tar.gz 4.56.2 --output 4.56.2.tar.gz; gpg -b --armor 4.56.2.tar.gz (not tested, just guessing).

ottok avatar Jan 07 '25 04:01 ottok