New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Setup code signing for all packages using opgenpgp #51

Open
wants to merge 4 commits into
base: master
from

Conversation

Projects
None yet
7 participants
@dignifiedquire
Member

dignifiedquire commented Feb 8, 2016

Update: Added process references
Update: Added sha512 checksums

I've setup a pgp on my yubikey that is used for the code signing process. This process generates pgp signatures for every single tar/zip file and adds them to directory. As in the description explained they can be verified by running

$ gpg --verify file.tar.gz.asc file.tar.gz

if the key is present.

Ref ipfs/go-ipfs#957

References

Key Management

Setup

  • Every developer (currently me) who has the right to sign releases generates a pgp key, stored on dedicated hardware like a yubikey
  • The fingerprint is added to dist.ipfs.io
  • The public key is uploaded to https://pgp.mit.edu/ for ease of distribution

Verification

  • The user who downloads from dist.ipfs.io can fetch the listed public keys listed from https://pgp.mit.edu/ and add them to their keyring
  • The user downloads the signature + file
  • The user uses pgp + signature to verify the file

Checksums

In addition to the signatures there are also file.sha files containing the sha512 checksum of the packages.

@dignifiedquire

This comment has been minimized.

Show comment
Hide comment
Member

dignifiedquire commented Feb 8, 2016

Show outdated Hide outdated site/public/_about.md
You will need to download the public key of the release managers, which are currently,
* Friedel Ziegelmayer <dignifiedquire@gmail.com> [`27F50659`](https://pgp.mit.edu/pks/lookup?search=0x27F50659&op=vindex&fingerprint=on).

This comment has been minimized.

@Kubuxu

Kubuxu Feb 8, 2016

Member

It would be better to have full fingerprint here. Short ones are not so good any more.

@Kubuxu

Kubuxu Feb 8, 2016

Member

It would be better to have full fingerprint here. Short ones are not so good any more.

@dignifiedquire

This comment has been minimized.

Show comment
Hide comment
@dignifiedquire

dignifiedquire Feb 8, 2016

Member

sure, curious why are they not good anymore?

Member

dignifiedquire commented Feb 8, 2016

sure, curious why are they not good anymore?

@Kubuxu

This comment has been minimized.

Show comment
Hide comment
@Kubuxu

Kubuxu Feb 8, 2016

Member

There is a list of keys for all short fingerprints generated, if someone will not look at the name and email there is a chance he will download a wrong one from the keyserver.

Member

Kubuxu commented Feb 8, 2016

There is a list of keys for all short fingerprints generated, if someone will not look at the name and email there is a chance he will download a wrong one from the keyserver.

@dignifiedquire

This comment has been minimized.

Show comment
Hide comment
@dignifiedquire

dignifiedquire Feb 8, 2016

Member

thanks @Kubuxu will update with this in mind

Member

dignifiedquire commented Feb 8, 2016

thanks @Kubuxu will update with this in mind

@dignifiedquire dignifiedquire referenced this pull request Feb 8, 2016

Closed

Sprint: February 1 #88

@jbenet

This comment has been minimized.

Show comment
Hide comment
@jbenet

jbenet Feb 8, 2016

Member

Would be nice to have multiple sigs here (like say @whyrusleeping and i both signing off to a release)

Member

jbenet commented Feb 8, 2016

Would be nice to have multiple sigs here (like say @whyrusleeping and i both signing off to a release)

@jbenet

This comment has been minimized.

Show comment
Hide comment
@jbenet

jbenet Feb 8, 2016

Member

@dignifiedquire thank you for leading the charge here! 👍 ❤️

Member

jbenet commented Feb 8, 2016

@dignifiedquire thank you for leading the charge here! 👍 ❤️

@dignifiedquire

This comment has been minimized.

Show comment
Hide comment
@dignifiedquire

dignifiedquire Feb 8, 2016

Member

@jbenet yes need more sigs for sure, but I don't have yours lying around ;) So @jbenet @whyrusleeping please make a PR adding your sigs in here, preferably from a key on your yubikey

Member

dignifiedquire commented Feb 8, 2016

@jbenet yes need more sigs for sure, but I don't have yours lying around ;) So @jbenet @whyrusleeping please make a PR adding your sigs in here, preferably from a key on your yubikey

@whyrusleeping

This comment has been minimized.

Show comment
Hide comment
@dignifiedquire

This comment has been minimized.

Show comment
Hide comment
@dignifiedquire

dignifiedquire Feb 8, 2016

Member

TODO from my side, write up general strategy for review

Member

dignifiedquire commented Feb 8, 2016

TODO from my side, write up general strategy for review

@lgierth lgierth referenced this pull request Feb 10, 2016

Closed

Sprint: February 8 #89

@dignifiedquire dignifiedquire referenced this pull request Feb 15, 2016

Closed

Enforce two factor auth #55

6 of 6 tasks complete
@dignifiedquire

This comment has been minimized.

Show comment
Hide comment
@dignifiedquire

dignifiedquire Feb 15, 2016

Member

@jbenet added first draft of a security doc describing the different parts.

Member

dignifiedquire commented Feb 15, 2016

@jbenet added first draft of a security doc describing the different parts.

* The private key MUST be stored on seperate hardware than the computer used to sign
the release. For convenience something like a [YubiKey](https://www.yubico.com/)
is recommended.
* The key must have a length of at least `2048` bits and of type RSA.

This comment has been minimized.

@dignifiedquire

dignifiedquire Feb 15, 2016

Member

I know that generally keys above 4096 should be used, but right now I haven't found a way to generate those keys on my yubikey. So if someone knows how please let me know and we can increase this.

@dignifiedquire

dignifiedquire Feb 15, 2016

Member

I know that generally keys above 4096 should be used, but right now I haven't found a way to generate those keys on my yubikey. So if someone knows how please let me know and we can increase this.

This comment has been minimized.

@Kubuxu

Kubuxu Feb 15, 2016

Member

Only Yubikey 4 and 4 Nano support RSA 4096 and even not all of them IIRC.

@Kubuxu

Kubuxu Feb 15, 2016

Member

Only Yubikey 4 and 4 Nano support RSA 4096 and even not all of them IIRC.

This comment has been minimized.

@Kubuxu

Kubuxu Jul 18, 2016

Member

We use Neo which supports only 2048.

@Kubuxu

Kubuxu Jul 18, 2016

Member

We use Neo which supports only 2048.

The command for doing this is
```bash
$ gpg --print-md SHA512 $original_file> > $original_file.sha

This comment has been minimized.

@Kubuxu

Kubuxu Feb 15, 2016

Member

How about quoting $original_file and original_file.sha?
I know it is only sample but it is good practice.

@Kubuxu

Kubuxu Feb 15, 2016

Member

How about quoting $original_file and original_file.sha?
I know it is only sample but it is good practice.

```bash
$ gpg --keyserver pgpkeys.mit.edu --recv-key <keyid>
```

This comment has been minimized.

@Kubuxu

Kubuxu Feb 15, 2016

Member

Instead of doing this, which means that user has to import the key and will get warning that files are signed by key he doesn't trust. We could use gpgv/gpgv2 and custom keyring file. See: http://unix.stackexchange.com/a/78476

@Kubuxu

Kubuxu Feb 15, 2016

Member

Instead of doing this, which means that user has to import the key and will get warning that files are signed by key he doesn't trust. We could use gpgv/gpgv2 and custom keyring file. See: http://unix.stackexchange.com/a/78476

This comment has been minimized.

@dignifiedquire

dignifiedquire Feb 15, 2016

Member

So we would distribute a keyring file which includes all the trusted keys? How would we best do that?

@dignifiedquire

dignifiedquire Feb 15, 2016

Member

So we would distribute a keyring file which includes all the trusted keys? How would we best do that?

This comment has been minimized.

@Kubuxu

Kubuxu Feb 15, 2016

Member

Including keyring/IPFS hash with previous distribution wouldn't be that bad of an idea.

Other option is just direct /ipfs/ link on website.

@Kubuxu

Kubuxu Feb 15, 2016

Member

Including keyring/IPFS hash with previous distribution wouldn't be that bad of an idea.

Other option is just direct /ipfs/ link on website.

@diasdavid

This comment has been minimized.

Show comment
Hide comment
@diasdavid

diasdavid Feb 16, 2016

Member

is it > >?

Member

diasdavid commented on SIGNING.md in 01713d8 Feb 16, 2016

is it > >?

This comment has been minimized.

Show comment
Hide comment
@whyrusleeping

whyrusleeping Feb 16, 2016

Member

yeah, theres an extra wocka there

Member

whyrusleeping replied Feb 16, 2016

yeah, theres an extra wocka there

In the following the reference to "tarball" means either a `zip` or `tar.gz` file
depending on the target operating system.
If not stated otherwise "key" refers to a public/private key pair usable for public

This comment has been minimized.

@RichardLitt

RichardLitt Feb 16, 2016

Member

If not stated otherwise**,** "key

@RichardLitt

RichardLitt Feb 16, 2016

Member

If not stated otherwise**,** "key

## 1. `SHA512` Checksum
After the tarball was created, [`gpg`](https://gnupg.org/) is used to generate
the `SHA512` checksum of the tarball and put into a file called `$original_file.sha`.

This comment has been minimized.

@RichardLitt

RichardLitt Feb 16, 2016

Member

and then it is put into

@RichardLitt

RichardLitt Feb 16, 2016

Member

and then it is put into

This comment has been minimized.

@jbenet

jbenet Feb 23, 2016

Member
  • use .sha256 extension
  • Why not use the multihash tool? that way we can ratchet it up.
@jbenet

jbenet Feb 23, 2016

Member
  • use .sha256 extension
  • Why not use the multihash tool? that way we can ratchet it up.
@RichardLitt

This comment has been minimized.

Show comment
Hide comment
@RichardLitt

RichardLitt Feb 16, 2016

Member

LGTM.

Member

RichardLitt commented Feb 16, 2016

LGTM.

@dignifiedquire dignifiedquire referenced this pull request Feb 17, 2016

Merged

Added in a dist blog post draft #21 #23

14 of 15 tasks complete
In order to ensure that downloaded binaries are not compromised we provide
two ways of checking the integrity of the downloaded files.
In the following the reference to "tarball" means either a `zip` or `tar.gz` file

This comment has been minimized.

@jbenet

jbenet Feb 23, 2016

Member

use "archive"

@jbenet

jbenet Feb 23, 2016

Member

use "archive"

is recommended.
* The key must have a length of at least `2048` bits and of type RSA.
* The public key MUST be uploaded to https://pgp.mit.edu/.
* The full fingerprint MUST be listed on the distributions page.

This comment has been minimized.

@jbenet

jbenet Feb 23, 2016

Member
  • it is good to allow users to verify using standard procedures.
  • it would be nice to provide our own route with our own tools. put the keys themselves in the distributions page, distribute the public keys along in the git repo and in the distributions ipfs dag. both are merkle-dags, if there's changes / conflicts, we've got more serious issues.
@jbenet

jbenet Feb 23, 2016

Member
  • it is good to allow users to verify using standard procedures.
  • it would be nice to provide our own route with our own tools. put the keys themselves in the distributions page, distribute the public keys along in the git repo and in the distributions ipfs dag. both are merkle-dags, if there's changes / conflicts, we've got more serious issues.
@djdv

This comment has been minimized.

Show comment
Hide comment
@djdv

djdv Mar 28, 2018

Member

Recently, there has been discussion in other repos about creating source tarballs that could be built offline due to various connection issues (lost hash, geographic censorship).
ipfs/ipget#48 (comment)
ipfs/go-ipfs#4765 (comment)

These releases will have to be signed for user saftey if they are to be ferried by third parties across various boundaries. As such, I simply want to pulse an alert on this issue due to its age and significance.
@whyrusleeping @Kubuxu

Member

djdv commented Mar 28, 2018

Recently, there has been discussion in other repos about creating source tarballs that could be built offline due to various connection issues (lost hash, geographic censorship).
ipfs/ipget#48 (comment)
ipfs/go-ipfs#4765 (comment)

These releases will have to be signed for user saftey if they are to be ferried by third parties across various boundaries. As such, I simply want to pulse an alert on this issue due to its age and significance.
@whyrusleeping @Kubuxu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment