release icon indicating copy to clipboard operation
release copied to clipboard
verified publisher icon kubernetes

FR: provide the signature for '*.sha256' artefacts

Open bb-Ricardo opened this issue 2 years ago • 8 comments

In order to check for new releases and changes it is important to verify the provided signatures.

In this case the checksum file has no signature and we need to download the binary to verify that the signature matches the binary and then we can use the checksum to verify in our systems if the correct version is present.

Best solution would be:

  • create a k8s.io checksum file containing all sha256 checksums for all currently released binaries
  • sign said checksum file using the same mechanism for signing binaries
  • provide downloads for
    • all binaries checksum file
    • signature of checksum file
    • signature certificate of checksum file

bb-Ricardo avatar Oct 25 '23 15:10 bb-Ricardo

cc @kubernetes/release-engineering

ameukam avatar Oct 25 '23 16:10 ameukam

This seems similar to https://github.com/kubernetes/release/issues/3222, I'm going to transfer it to the k/release repo /transfer release

xmudrii avatar Oct 26 '23 09:10 xmudrii

cc @cpanato @puerco for feedback /priority important-longterm /triage accepted

xmudrii avatar Oct 26 '23 09:10 xmudrii

/kind feature

xmudrii avatar Oct 26 '23 09:10 xmudrii

Hi,

https://github.com/kubernetes/release/issues/3222#issuecomment-1692964017

Just applying this proposed change would highly mitigate the necessity of downloading the binary blobs to verify the signature of each blob.

bb-Ricardo avatar Oct 26 '23 10:10 bb-Ricardo