cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon phylum-dev

Provide Phylum public signing key for out-of-band verification

Open maxrake opened this issue 3 years ago • 7 comments

Overview

Currently, the Phylum CLI binary is signed using an RSA signing key. This signature can be verified using the corresponding public key for Phylum:

$ openssl dgst -sha256 -verify signing-key.pub -signature phylum-*.zip.signature phylum-*.zip
Verified OK

However, the source of the public key (i.e., the GitHub repository) is the same as the binaries it is meant to verify. In the absence of Certificate Authorities (CAs) to confirm the signer's identity, security best practices indicate that "the public key must instead be distributed using a trusted, out-of-band mechanism."

Acceptance Criteria

  • [ ] Phylum public signing key provided in an out of band channel that is also know to be controlled by Phylum

maxrake avatar Mar 17 '22 23:03 maxrake

Hello, I'm having a hard time recreating the minisign verification. See attached error. Screen Shot 2022-08-13 at 2 41 07 PM

wilfredomateo avatar Aug 13 '22 19:08 wilfredomateo

There seems to be two issues here: One is that you're trying to verify the signature of the binary itself, while only our release artifacts (the zip files) are signed. The other is that you likely didn't download the .minisig file for those artifacts. On the releases page you should see a .minisig accompany each .zip, you need to download both and then run this command on the zip file with the .minisig in the same directory.

The documentation certainly isn't very clear on that. @kylewillmon is working on a PR to improve this.

cd-work avatar Aug 15 '22 17:08 cd-work

Thanks. I will give that a try.

wilfredomateo avatar Aug 15 '22 22:08 wilfredomateo

@wilfredomateo! It's been a long time...glad to see you here.

PR #630 was put up today to help make the signature verification language better. Thank you for the feedback. We welcome any more that you have.

maxrake avatar Aug 15 '22 22:08 maxrake

I'm glad to be here. Trying to learn and contribute where I can.

I took a look at the addition to quickstart.md and it is much easier to follow now. I ran the signature verification again and it works fine now. Thank you. @kylewillmon

wilfredomateo avatar Aug 15 '22 22:08 wilfredomateo

With the completion of #724, the next release of the CLI will be signed with openssl. It will also be signed with minisign, but that will be phased out over time.

This issue is still relevant because the public signing key used by openssl to verify the release artifacts is currently only hosted in the CLI GitHub repository...which is the same source as the artifacts it is meant to verify.

maxrake avatar Oct 12 '22 15:10 maxrake

This issue is still relevant because the public signing key used by openssl to verify the release artifacts is currently only hosted in the CLI GitHub repository...which is the same source as the artifacts it is meant to verify.

Issue title and description have now been edited to reflect this.

kylewillmon avatar Oct 12 '22 16:10 kylewillmon