Document PGP release signature usage #1469
Comments
|
I also recommend adding a For more best-practices, see also: |
|
Reference: And then compare libusb-1.0.27 release and python-libusb1 3.1.0 release, I do not see any difference in terms of the source code archive signing. What is missing here? |
I do not see any repos I am involved doing that (eg: libusb, pyusb, avrdude, openocd, libftdi, hidapi, etc). |
Check Maven. 100% of the packages on Apache Maven's central repository are cryptographically signed with PGP. The |
Sorry if I was unclear: this ticket is asking for documentation. What's missing is documentation. |
At least I do not see anything like that in the official github repo. They do not even have signed source tarball. |
Could you provide a reference? Thanks. |
A good example is the Apache Ant KEYS file
Maven signs their releases. You can find the signatures on their website: Note the text above the table, which provides info to users on how to verify signatures by linking to the documentation
The above text links to the following documentation, which is what this ticket is asking-for to be added to the libusb website and/or wiki:
Does the above answer your question? If not, let me know and I can provide examples of such documentation from other projects, if you'd like. |
Thanks for the answer. I will let @tormodvolden decide how to address the issue you raised. He is in charge of the recent releases like 1.0.25/1.026/1.0.27. |
|
This is a good point. I have been signing with my key that is listed e.g. at https://launchpad.net/~tormodvolden but it is not mentioned anywhere on our pages. |
|
You have done a great job at documenting the issue, you're welcome to suggest some wording and templates as well. |
|
Here are some examples pages from open source projects documenting how their users can cryptographically verify their releases:
You can make this very complicated if you'd like, but at the minimum I think the documentation should:
|
|
I think the above seems to be a good practice. On the other hand, I am also trying to understand why most projects do not even sign the release. So I look at libusb github download number statistics, very few people actually downloaded the signature files. Very interestingly that Do.not.use.the.tar.gz.--.please.download.the.tar.bz.--.txt gets many more downloads than the signature files.
|
|
It is understandable that the signatures are not downloaded often if we don't tell explain what they are and how to use them. I also think the download numbers are skewed by bots downloading whatever (comes first?), and build scripts etc. |
Unfortunately, security is an afterthought for most software developers. If you don't sign your releases, then your users cannot know if they downloaded the "authentic version" or a "malicious version" of your software. https does not protect users from supply-chain attacks such as Publishing Infrastructure Compromise. This is especially a concern for libraries, which is a tasty target for malicious actors to poison the library and downstream software projects (watering hole attack). Many open source projects have learned this lesson the hard way. Here is a (incomplete) list of some historic instances of supply chain security incidents that affected various software projects in the past years: |
|
@tormodvolden for right now (as a workaround) where can users download your PGP public key? And what is the full fingerprint? The latest libusb release appears to be signed with a key =
Also there's no link on your launchpad page to download the actual PGP public key. |
|
Yes, the third key (you listed it as number 1 also but that must have been a copy-pasto) with fingerprint The keys listed on the search result page are download links. Also, if you search for But yes, we can make this clearer and have the fingerprints listed on our web pages. |
|
Thanks
Where exactly do you click? The fingerprints are not clickable for me on the launchpad page
Unfortunately it is not possible to download and import your key from this website. Try it on a fresh VM, and you get the error The problem is that modern-day keyservers strip UIDs (for your data privacy) by default. And The solution is that you need to verify your email address by clicking the link sent to the uid of the key as described here: In the meantime, please let me know how I can download your PGP key. |
|
Looks like the fingerprints are not clickable unless you are logged in :( But this is the URL and it seems publicly available: https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=index&search=0xC68187379B23DE9EFC46651E2C80FF56C6830A0E |
Expected behaviour
When I go to download the latest version of libusb, I should also see instructions on how to verify the authenticity of the file after download and before install. Or, at least, a link to the document that describes this.
Actual behaviour
I see no mention about cryptographic authenticity verification on the download page on GitHub
I see no mention about cryptographic authenticity verification on the download page on SourceForge:
I see no mention about cryptographic authenticity verification on the "Downloads" section of the libusb wiki:
I see no mention about cryptographic authenticity verification on the "FAQ" section of the libusb wiki:
I see no mention about cryptographic authenticity verification on the website:
Steps to reproduce
Releaseslibusb-1.0.27.tar.bz2libusb-1.0.27.tar.bz2.ascAdditional Context
I would recommend adding a new page to your wiki that:
gpgcommand for how a user can fetch the Release Signing Key from the keyserversAfter the above documentation page is complete, add at least one link to it from the following pages:
The text was updated successfully, but these errors were encountered: