Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/website: link to signatures on Go releases and document how to validate #38910

Open
jsha opened this issue May 6, 2020 · 4 comments
Open
Labels
Builders x/build issues (builders, bots, dashboards) Documentation FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. website

Comments

@jsha
Copy link

jsha commented May 6, 2020

On https://golang.org/dl/, there are links to each Go release, along with SHA256 checksums. However, the security of those checksums is only ensured by HTTPS. I learned recently that there are also PGP signatures for each release. So to go along with:

https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz

There is also:

https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz.asc

It would be great to document that fact on https://golang.org/dl/, along with instructions on how to validate the signature.

@FiloSottile
Copy link
Contributor

FiloSottile commented May 7, 2020

For the record the public key is available at https://www.google.com/linuxrepositories/

@toothrot toothrot changed the title doc: link to signatures on Go releases and document how to validate x/website: link to signatures on Go releases and document how to validate May 11, 2020
@gopherbot gopherbot added this to the Unreleased milestone May 11, 2020
@toothrot toothrot added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label May 11, 2020
@toothrot
Copy link
Contributor

toothrot commented May 11, 2020

/cc @dmitshur @cnoellekb @andybons

@tvierling
Copy link

tvierling commented May 25, 2022

The public key is not at https://www.google.com/linuxrepositories/ as noted above; the fingerprint on current signatures is

gpg: using RSA key 78BD65473CB3BD13

which is none of the keys contained at that link.

@jamalc jamalc modified the milestones: Unreleased, website/unplanned Jun 8, 2022
@StevenMaude
Copy link

StevenMaude commented Aug 1, 2022

This is perhaps off-issue. But just to confirm the current Google Linux package signing keys do correctly validate the Go releases now, in contrast with @tvierling's previous report ✔️

$ gpg --verify go1.18.3.linux-amd64.tar.gz.asc 
gpg: assuming signed data in 'go1.18.3.linux-amd64.tar.gz'
gpg: Signature made Wed 01 Jun 2022 21:16:43 BST
gpg:                using RSA key 78BD65473CB3BD13
gpg: Can't check signature: No public key

$ gpg --verify go1.18.4.linux-amd64.tar.gz.asc 
gpg: assuming signed data in 'go1.18.4.linux-amd64.tar.gz'
gpg: Signature made Tue 12 Jul 2022 19:31:37 BST
gpg:                using RSA key 4EB27DB2A3B88B8B
gpg: Can't check signature: No public key

$ gpg --import linux_signing_key.pub 
gpg: key A040830F7FAC5991: public key "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>" imported
gpg: key 7721F63BD38B4796: 1 signature not checked due to a missing key
gpg: key 7721F63BD38B4796: public key "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" imported
gpg: Total number processed: 2
gpg:               imported: 2
…

$ gpg --verify go1.18.3.linux-amd64.tar.gz.asc 
gpg: assuming signed data in 'go1.18.3.linux-amd64.tar.gz'
gpg: Signature made Wed 01 Jun 2022 21:16:43 BST
gpg:                using RSA key 78BD65473CB3BD13
gpg: Good signature from "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
     Subkey fingerprint: 2F52 8D36 D67B 69ED F998  D857 78BD 6547 3CB3 BD13

$ gpg --verify go1.18.4.linux-amd64.tar.gz.asc 
gpg: assuming signed data in 'go1.18.4.linux-amd64.tar.gz'
gpg: Signature made Tue 12 Jul 2022 19:31:37 BST
gpg:                using RSA key 4EB27DB2A3B88B8B
gpg: Good signature from "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
     Subkey fingerprint: 8461 EFA0 E74A BAE0 10DE  6699 4EB2 7DB2 A3B8 8B8B

Presumably the keys changed sometime in the past few months due to a (then-forthcoming) expiry date in July 2022:

$ gpg linux_signing_key.pub 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   dsa1024 2007-03-08 [SC]
      4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
uid           Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048 2007-03-08 [E]
pub   rsa4096 2016-04-12 [SC]
      EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
uid           Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096 2016-04-12 [S] [expired: 2019-04-12]
sub   rsa4096 2017-01-24 [S] [expired: 2020-01-24]
sub   rsa4096 2019-07-22 [S] [expired: 2022-07-21]
sub   rsa4096 2021-10-26 [S] [expires: 2024-10-25]

@dmitshur dmitshur added the Builders x/build issues (builders, bots, dashboards) label Aug 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Builders x/build issues (builders, bots, dashboards) Documentation FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. website
Projects
None yet
Development

No branches or pull requests

9 participants