moin icon indicating copy to clipboard operation
moin copied to clipboard

Published 20 hours ago verified publisher icon moinwiki

sign releases

Open ThomasWaldmann opened this issue 12 years ago • 8 comments

Original report by Thomas Waldmann (Bitbucket: thomaswaldmann, GitHub: thomaswaldmann).

To be able to check that a release archive has not been modified (and was really released by us), release archives should be signed (e.g. using GPG).

ThomasWaldmann avatar Jan 05 '13 23:01 ThomasWaldmann

docs: this should be part of release checklist.

ThomasWaldmann avatar Aug 27 '18 00:08 ThomasWaldmann

Is there an example python project offering signed releases? The only example I found was python itself: https://www.python.org/downloads/release/python-3115/ We would need a second secure location outside of the git code and docs to publish checksums and keys.

UlrichB22 avatar Sep 25 '23 20:09 UlrichB22

For borgbackup, I sign releases with gpg and upload the signature (together with the file I uploaded to pypi.org) to github releases.

pypi does not support uploading gpg signatures any more. but via gh releases, users have a way to check what they got from pypi (and also both gh releases and pypi contents could be verified in case there was a compromise somewhere).

https://github.com/borgbackup/borg/blob/master/scripts/sdist-sign https://github.com/borgbackup/borg/blob/master/scripts/upload-pypi https://github.com/borgbackup/borg/blob/master/scripts/sign-binaries

Result on gh releases: https://github.com/borgbackup/borg/releases/tag/1.2.6 (the 2 "source code" archive files there are automatically created by gh and not intended to be used)

Docs: https://borgbackup.readthedocs.io/en/stable/support.html#verifying-signed-releases

ThomasWaldmann avatar Sep 25 '23 21:09 ThomasWaldmann

Since pypi does not support uploading gpg signatures any more and with both GitHub and pypi now using 2fa for login, is signing releases with gpg obsolete?

RogerHaase avatar Mar 01 '24 10:03 RogerHaase

The idea is now to:

  • publish releases on "github releases" page, upload the sdist .tgz and the .tgz.asc signature
  • use twine to upload the same .tgz to pypi

So users who want to check signatures can get the signatures there (and also the .tgt if they like).

ThomasWaldmann avatar Mar 01 '24 14:03 ThomasWaldmann

OK. Will you (Thomas) publish 2.0.0a1?

RogerHaase avatar Mar 01 '24 20:03 RogerHaase

@RogerHaase I can do that, but mid term it would be good to also have another one or two developers who can make (preferably signed) releases.

ThomasWaldmann avatar Mar 02 '24 12:03 ThomasWaldmann

OK, I will do next a2 or b1 signed release (and hopefully @UlrichB22 will want to join in the fun).

RogerHaase avatar Mar 02 '24 13:03 RogerHaase

@ThomasWaldmann I released 2.0.0a1 on pypi and github releases, please verify that everything is properly signed.

The list of files under "Assets" at https://github.com/moinwiki/moin/releases/tag/2.0.0a1 is confusing. I expected to find a simple pip command similar to "pip install --pre moin" that would download and install the moin-2.0.0a1.tar.gz file from github.

Instead, the simplest command I found is "pip install git+https://github.com/moinwiki/[email protected]" that starts with a clone:

Collecting git+https://github.com/moinwiki/[email protected]
Cloning https://github.com/moinwiki/moin (to revision 2.0.0a1) to c:\users\haase\appdata\local\temp\pip-req-build-l703n7gk

What is the intended use of the 4 files under Assets?

RogerHaase avatar Mar 28 '24 15:03 RogerHaase

Normal users should usually just do pip install "moin==2.0.0a1", so pip fetches the stuff from pypi. That doesn't support GPG signature verification as pip and pypi do not support that.

The 2 asset files labelled with "Source code" are always created by github and sadly there is no way (AFAIK) to avoid that. They are not sdists and not suitable for pip.

The other 2 files you uploaded there can be used to download, verify and install moin, although less comfortably compared to pip with pypi. So we have a backup there for the release sdist and also for the signature, so anybody can verify the sdist is authentic.

ThomasWaldmann avatar Mar 28 '24 16:03 ThomasWaldmann

@RogerHaase We should add the gpg key fingerprints (of the keys used to sign releases) to the docs.

% gpg --fingerprint [email protected]

pub   rsa4096/9F88FB52FAF7B393 2009-12-25 [SC]
      Key fingerprint = 6D5B EF9A DD20 7580 5747  B70F 9F88 FB52 FAF7 B393
uid                 [ unknown] Thomas Waldmann <[email protected]>
uid                 [ unknown] Thomas Waldmann <[email protected]>
uid                 [ unknown] Thomas Waldmann <[email protected]>
uid                 [ unknown] Thomas Waldmann <[email protected]>
sub   rsa4096/243ACFA951F78E01 2014-12-25 [S] [expires: 2026-02-14]
sub   rsa4096/80D1C3A354D9A2EF 2014-12-25 [E] [expires: 2026-02-14]

Also I didn't find your gpg pubkey on the gpg key servers - did you upload it?

ThomasWaldmann avatar Mar 29 '24 17:03 ThomasWaldmann

Without your pub key, one can not verify your signature:

% gpg --verify moin-2.0.0a1.tar.gz.asc                                                        

gpg: assuming signed data in 'moin-2.0.0a1.tar.gz'
gpg: Signature made Mi 27 Mär 21:54:41 2024 CET
gpg:                using RSA key 7AFCF58FA1189DED2E863C413D9689A879BDD615
gpg: Can't check signature: No public key

ThomasWaldmann avatar Mar 29 '24 17:03 ThomasWaldmann