Skip to content

Sign Releases (PGP, GPG) #1355

Description

@maltfield

Is your feature request related to a problem?

Currently it is not possible to verify the authenticity or cryptographic integrity of the notation releases from github.com because the releases are not cryptographically signed.

This makes it hard for notation users to safely obtain the notation software, and it introduces them (and potentially future things they try to verify with notation's cli tools) to watering hole attacks.

What solution do you propose?

A few things are expected:

  1. I should be able to download the notation release-signing PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
  2. I should be able to download a cryptographic signature of the release (or, better, the signature of the releases' checksum file, such as a _checksums.txt.asc file) along with the release itself
  3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

What alternatives have you considered?

Signing your releases with minisign would be ok, but I think it's best to stick to tried-and-true best-practices with gpg.

You could also release the software on repos like apt that have digests that are signed, but the debian maintainer is going to prefer you to sign your releases with your own PGP key for them to securely obtain it from you, anyway.

In any case, you need to sign your own releases.

Any additional context?

Steps to Reproduce

  1. Go to the releases page https://github.com/notaryproject/specifications/releases/tag/v1.1.0
  2. Look for signature file
  3. ???
  4. Go to the install docs page https://notaryproject.dev/docs/user-guides/installation/cli/
  5. Look for instructions how how to verify the release with a cryptographic signature
  6. ???
  7. Get confused and open ticket

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesttriageNeed to triage

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions