Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Releases should be signed #1354

Open
pjf opened this issue Aug 9, 2015 · 5 comments
Open

Releases should be signed #1354

pjf opened this issue Aug 9, 2015 · 5 comments
Assignees
@techman83
Labels
Build Issues affecting the build system Enhancement Infrastructure Issues affecting everything around CKAN (the GitHub repos, build process, CI, ...) ★★☆

Comments

@pjf
Copy link
Member

pjf commented Aug 9, 2015

Right now, releases aren't signed, and users get a "yo, this is a file you downloaded from the internet" message on Windows.

Mono comes with the signcode utility which can do this, and while we'll need to create (and possibly pay a CA to sign) a certificate, that shouldn't be insurmountable.

We'll still want travis to do the signing and release, but luckily we can encrypt things so that only travis can read them.
@techman83
Copy link
Member

StartSSL HowTo
https://forum.startcom.org/viewtopic.php?f=15&t=1654

@ghost
Copy link

ghost commented Feb 18, 2016

Piggybacking on this:

SpaceDock/SpaceDock-Project#2 will require some sort of verification infrastructure (see SpaceDock/SpaceDock-Project#22 for a discussion of implementation ideas), and we were hoping to jump on hte CKAN metadata train, but the spec has no provisions for a "signed" field (to reduce the chances of somebody tempering with packages), or at least a "hash" to provide download integrity verification.

@janbrohl janbrohl mentioned this issue May 20, 2016
Closed
@politas
Copy link
Member

politas commented Aug 23, 2016

Ok, we can get a signed certificate from Certum for only €14.00, which I'm willing to pay for. I'm not sure if that's an annual fee or a once-off, but I'm ok with it either way. It looks to me like their Open Source Code Signing is what we would need to use.

@ayan4m1, do you have any relevant experience in this field?

@politas
Copy link
Member

politas commented Oct 23, 2018

Bringing this issue back to life may be worthwhile. We should actually move to release signing, or close this issue.
@HebaruSan , you are quite certainly hte primary coder at this point. Can you make head or tails out of how to actually implement this?

@HebaruSan HebaruSan added Build Issues affecting the build system Infrastructure Issues affecting everything around CKAN (the GitHub repos, build process, CI, ...) labels Oct 23, 2018
@HebaruSan HebaruSan mentioned this issue Oct 23, 2018
Closed
@HebaruSan
Copy link
Member

See linked PR.

@HebaruSan HebaruSan mentioned this issue Jan 8, 2023
Closed
@techman83 techman83 self-assigned this Apr 29, 2024
techman83 added a commit that referenced this issue May 3, 2024
@techman83
refactor: Release workflow
7c009a1 
This is a complete refactor and update of the release workflow in
preparation for signed commits (#1354).

- Updates all actions versions
- Remove mono containers
- Reduce apt installations to only required
- Use aws credentials actions instead of unmaintained sync action
- Use ghcli for asset uploads instead of unmaintained assets upload
  action
- Breaks apart steps into discrete jobs
techman83 added a commit that referenced this issue May 3, 2024
@techman83
feat: Upload Release Assets for Signing
985e566 
This adds a signing step for our release assets in preparation for #1354. Although the CSR is
not ready yet, this will make it easy for us to reference the download url when it is ready.
techman83 added a commit that referenced this issue May 4, 2024
@techman83
refactor: Release workflow
db97db5 
This is a complete refactor and update of the release workflow in
preparation for signed commits (#1354).

- Updates all actions versions
- Remove mono containers
- Reduce apt installations to only required
- Use aws credentials actions instead of unmaintained sync action
- Use ghcli for asset uploads instead of unmaintained assets upload
  action
- Breaks apart steps into discrete jobs
techman83 added a commit that referenced this issue May 4, 2024
@techman83
feat: Upload Release Assets for Signing
3c7dc3a 
This adds a signing step for our release assets in preparation for #1354. Although the CSR is
not ready yet, this will make it easy for us to reference the download url when it is ready.
techman83 added a commit that referenced this issue May 4, 2024
@techman83
refactor: Release workflow
17931ef 
This is a complete refactor and update of the release workflow in
preparation for signed commits (#1354).

- Updates all actions versions
- Remove mono containers
- Reduce apt installations to only required
- Use aws credentials actions instead of unmaintained sync action
- Use ghcli for asset uploads instead of unmaintained assets upload
  action
- Breaks apart steps into discrete jobs
techman83 added a commit to techman83/CKAN that referenced this issue May 4, 2024
@techman83
refactor: Release workflow
d002a00 
This is a complete refactor and update of the release workflow in
preparation for signed commits (KSP-CKAN#1354).

- Updates all actions versions
- Remove mono containers
- Reduce apt installations to only required
- Use aws credentials actions instead of unmaintained sync action
- Use ghcli for asset uploads instead of unmaintained assets upload
  action
- Breaks apart steps into discrete jobs
techman83 added a commit that referenced this issue May 4, 2024
@techman83
refactor: Release workflow
fe06099 
This is a complete refactor and update of the release workflow in
preparation for signed commits (#1354).

- Updates all actions versions
- Remove mono containers
- Reduce apt installations to only required
- Use aws credentials actions instead of unmaintained sync action
- Use ghcli for asset uploads instead of unmaintained assets upload
  action
- Breaks apart steps into discrete jobs
techman83 added a commit that referenced this issue May 4, 2024
@techman83
refactor: Release workflow
9c7cf36 
This is a complete refactor and update of the release workflow in
preparation for signed commits (#1354).

- Updates all actions versions
- Remove mono containers
- Reduce apt installations to only required
- Use aws credentials actions instead of unmaintained sync action
- Use ghcli for asset uploads instead of unmaintained assets upload
  action
- Breaks apart steps into discrete jobs
techman83 added a commit that referenced this issue May 10, 2024
@techman83
refactor: Release workflow
2bd6af2 
This is a complete refactor and update of the release workflow in
preparation for signed commits (#1354).

- Updates all actions versions
- Remove mono containers
- Reduce apt installations to only required
- Use aws credentials actions instead of unmaintained sync action
- Use ghcli for asset uploads instead of unmaintained assets upload
  action
- Breaks apart steps into discrete jobs
techman83 added a commit that referenced this issue May 10, 2024
@techman83
refactor: Release workflow
09d2eb6 
This is a complete refactor and update of the release workflow in
preparation for signed commits (#1354).

- Updates all actions versions
- Remove mono containers
- Reduce apt installations to only required
- Use aws credentials actions instead of unmaintained sync action
- Use ghcli for asset uploads instead of unmaintained assets upload
  action
- Breaks apart steps into discrete jobs
techman83 added a commit that referenced this issue May 10, 2024
@techman83
refactor: Release workflow
37981cc 
This is a complete refactor and update of the release workflow in
preparation for signed commits (#1354).

- Updates all actions versions
- Remove mono containers
- Reduce apt installations to only required
- Use aws credentials actions instead of unmaintained sync action
- Use ghcli for asset uploads instead of unmaintained assets upload
  action
- Breaks apart steps into discrete jobs
techman83 added a commit that referenced this issue May 17, 2024
@techman83
refactor: Release workflow
47bb890 
This is a complete refactor and update of the release workflow in
preparation for signed commits (#1354).

- Updates all actions versions
- Remove mono containers
- Reduce apt installations to only required
- Use aws credentials actions instead of unmaintained sync action
- Use ghcli for asset uploads instead of unmaintained assets upload
  action
- Breaks apart steps into discrete jobs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@techman83 techman83

Labels
Build Issues affecting the build system Enhancement Infrastructure Issues affecting everything around CKAN (the GitHub repos, build process, CI, ...) ★★☆
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Sign releases HebaruSan/CKAN
5 participants
@pjf @Postremus @HebaruSan @politas @techman83