Is your feature request related to a problem?
Currently it is not possible to verify the authenticity or cryptographic integrity of the notation releases from github.com because the releases are not cryptographically signed.
This makes it hard for notation users to safely obtain the notation software, and it introduces them (and potentially future things they try to verify with notation's cli tools) to watering hole attacks.
What solution do you propose?
A few things are expected:
- I should be able to download the notation release-signing PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
- I should be able to download a cryptographic signature of the release (or, better, the signature of the releases' checksum file, such as a
_checksums.txt.asc file) along with the release itself
- The downloads page itself should include a link to the documentation page that describes how to do the above two steps
What alternatives have you considered?
Signing your releases with minisign would be ok, but I think it's best to stick to tried-and-true best-practices with gpg.
You could also release the software on repos like apt that have digests that are signed, but the debian maintainer is going to prefer you to sign your releases with your own PGP key for them to securely obtain it from you, anyway.
In any case, you need to sign your own releases.
Any additional context?
Steps to Reproduce
- Go to the releases page https://github.com/notaryproject/specifications/releases/tag/v1.1.0
- Look for signature file
- ???
- Go to the install docs page https://notaryproject.dev/docs/user-guides/installation/cli/
- Look for instructions how how to verify the release with a cryptographic signature
- ???
- Get confused and open ticket
Is your feature request related to a problem?
Currently it is not possible to verify the authenticity or cryptographic integrity of the notation releases from github.com because the releases are not cryptographically signed.
This makes it hard for notation users to safely obtain the notation software, and it introduces them (and potentially future things they try to verify with notation's cli tools) to watering hole attacks.
What solution do you propose?
A few things are expected:
_checksums.txt.ascfile) along with the release itselfWhat alternatives have you considered?
Signing your releases with minisign would be ok, but I think it's best to stick to tried-and-true best-practices with
gpg.You could also release the software on repos like
aptthat have digests that are signed, but the debian maintainer is going to prefer you to sign your releases with your own PGP key for them to securely obtain it from you, anyway.In any case, you need to sign your own releases.
Any additional context?
Steps to Reproduce