tl icon indicating copy to clipboard operation
tl copied to clipboard

Published 20 hours ago verified publisher icon transparencylog

maintainer tooling: Links for projects?

Open amouat opened this issue 4 years ago • 6 comments

Would it make sense for projects to link to the appropriate entry on the log for releases?

Could we create a subcommand that spits out some text with the hashes and a link to the log that maintainers can paste into the release notes?

amouat avatar Aug 13 '20 13:08 amouat

I think it is best if projects suggest using tl in their release notes. Linking to the log doesn’t provide a ton of value because:

  1. the user still needs to manually use shell scripts or something to generate a digest and verify their file just like a SHA256SUM file
  2. the user is unlikely to verify the log entry signature
  3. the user won’t be able to validate the log entry is included in the transparency log against the /latest log head

I have been thinking about a helper tool that generates tl get and tl validate lines based on a github release. Maybe we could create a new helper tool for those sorts of things.

Also, just writing a doc on how to tell users how to use the tool would be a good idea.

philips avatar Aug 13 '20 19:08 philips

@amouat I created a GitHub action that automatically adds a project’s release assets if you want to add this to your projects: https://github.com/marketplace/actions/publish-release-assets-to-asset-transparency-log

philips avatar Aug 21 '20 14:08 philips

Let me take a look!

I've been meaning to get back to you about this. I still would like to see checksums on the downloads page so that people with old-skool leanings can use existing tools to verify checksums without tl. I think if we can show the checksum matches the checksum on an external site with guarantees on immutability it still provides a level of a reassurance (an attacker can't update the checksum on an existing release, they'd probably have to create a whole new release). Not sure if that makes any sense.

So what I'd still like to see is a human friendly web page on the log that shows the checksums and historic releases for a binary. Again, maybe this just doesn't make sense.

amouat avatar Aug 21 '20 14:08 amouat

@amouat

What if I added a URL endpoint to the service that would enable something like:

curl https://beta-asset.transparencylog.net/sha256sum/github.com/transparencylog/tl/releases/download/v0.2.12/tl_0.2.12_darwin_x86_64.tar.gz > SHA256SUM
sha256sum -c SHA256SUM
tl_0.2.12_darwin_x86_64.tar.gz: OK

Would that be something you are interested in?

Alternatively I could add a subcommand

tl generate-sha256sum https://github.com/transparencylog/tl/releases/download/v0.2.12/tl_0.2.12_darwin_x86_64.tar.gz > SHA256SUM
sha256sum -c SHA256SUM

philips avatar Aug 21 '20 14:08 philips

I think that endpoint makes a lot of sense, even if it's just referred to in documentation and doesn't see much usage - it makes it clear what's happening behind the scenes with tl.

I do worry that the need to trust the tl binary will put some people off.

amouat avatar Aug 21 '20 16:08 amouat

@amouat OK, I will think about that feature.

There is a verify script written in bash that is available right now: https://github.com/transparencylog/tl/blob/main/utils/asset-transparency-lookup-verify

philips avatar Aug 21 '20 16:08 philips