drone-github-release icon indicating copy to clipboard operation
drone-github-release copied to clipboard

Published 20 hours ago verified publisher icon drone-plugins

A plugin should print the checksums to the log

Open igor-petruk opened this issue 6 years ago • 4 comments

It is important to verify that it was a CI that uploaded the artifacts.

Assume I am a Github repo owner, but I don't own the CI server - I use a public one.

A user can then read CI logs to see the checksums, download the archive and check them. This prevents the Github owner from deleting the CI release and putting a malicious binary manually, providing a correct new hash sum.

igor-petruk avatar Oct 25 '19 19:10 igor-petruk

You should be using binary signing with gpg key for such usecase

lafriks avatar Oct 25 '19 21:10 lafriks

Checksums are anyway not that secure, as @lafriks said, use gpg for signing. There is also a plugin available for it. I personally don't use this feature at all, I prefer to build Checksums on my own.

tboerger avatar Oct 25 '19 21:10 tboerger

I might be missing something, GPG would only prove that me (as an author) is me. I can still print it in the logs. If I don't print, I can still do the signing. Then build the same code locally + evil patch, sign it and place it to releases. Yes I will be responsible and loose credit, but but that only proves I did it.

I was more looking to proving that something was built on public CI that I don't control. It was built there, hashed there.

GPG would solve my problem if cloud.drone.io provided their widely trusted signing key.

igor-petruk avatar Oct 25 '19 21:10 igor-petruk

If you don't trust owner of product you should probably compile it from source

lafriks avatar Oct 25 '19 21:10 lafriks