Publish PGP Signature for composer.phar #71
Comments
|
👍 if you need help setting this up, shoot me an email -- I'd like to see this get done! |
|
@Seldaek If you need any help here, I'm here ;) |
|
Note that signing releases is easier than tagging nightly builds as signing means manually creating the archive and manually entering a password at some point (at least, that's how it should be done.) |
|
So, is there going to be any momentum at all on this initiative? |
|
tumbleweeds |
|
So, is it the official stance of the Composer team that they don't care about package integrity? |
|
No the official stance is I am busy with tons of things and haven't had time to look into this yet but yes I agree it would be great. If one of you would like to work on a pull request for the docs that would already be a great start. Another thing that'd help is patching https://github.com/composer/getcomposer.org/blob/master/update.sh#L26 so it generates a signature too from a local key file. If all I have left to do is generating private keys (I guess there should be a passwordless one on the server for the dev snapshots and a passworded one I can use to manually sign the releases) that'd greatly increase the chances this actually gets done soon. |
|
@sarciszewski yup I saw the PRs, thanks a bunch. I'll try to follow up on this sooner rather than later. |
|
Cool. Is there anything left you need done other than the actual key generation and signing steps? (I can't really do that for you, otherwise I could easily be in a position to trojan the installer if I decided to become evil in the future, so it's best if it's your key, not mine.) |
|
@sarciszewski sorry I took a look at it and then thought it would actually be best to sign using openssl because then we can verify in php using openssl functions which we anyway largely depend on. That'd make it easier to have a workable cross-platform solution. See composer/composer#2665 (comment) for details. Anyway then I got stuck with conference and holiday and work and life so I couldn't get that done yet. What do you think? |
|
It appears the problem is you're thinking a level deeper than my complaint addresses. I'm not advising you to write the code inside of The problem is not what the installer contains, the problem is how the installer is invoked. These are not safe for the person running them: curl https://anything | php
curl http://anything | shIf you trust OpenSSL that much (http://www.libressl.org/ might be a better solution fwiw) and know an openssl wizard who can teach all of your users how to verify the installer before executing it, great. But I'm not that person. Maybe @defuse can help me out here if I'm not explaining this correctly? |
|
@sarciszewski signing the installer itself will not guarantee the phar integrity. This means that the installer should also verify the signature of the phar when downloading it (and the phar should verify it as well when doing self updates). So the user should indeed verify the integrity of the installer before executing it, but the installer itself needs to have logic verifying signatures for next steps |
I agree. Both steps need to be signed, and every composer package should also be signed too. But getting the install instructions to be secure by default is a good start on this initiative. |
|
@sarciszewski but the signature for the phar itself, which is what you implemented in your PR is something which needs to be verified by the Composer code (both in the phar and the installer) (except for people downloading the phar directly instead of the installer). |
|
Let's break this up into three pieces:
Until step 1 is complete, the other two don't really buy people anything except inconvenience. |
|
@sarciszewski but you started with a PR preparing the work for 2, not for 1 |
|
@stof This issue, which is on the |
|
nope. this issue is asking to sign the phar. And the phar is not the installer. It is what the installer downloads after checking your system. So it is about the step 2 (or about people skipping the step 1) |
Please sign composer.phar with a PGP key, publish the key ID and signature, and update the documentation to encourage verifying the .phar before blindly piping to the PHP interpreter.
https://getcomposer.org/composer.phar
https://getcomposer.org/composer.phar.asc <- signature should go here
See also: https://defuse.ca/triangle-of-secure-code-delivery.htm by @defuse
The text was updated successfully, but these errors were encountered: