feat: Setup code signing for all packages using opgenpgp #51

Open
wants to merge 4 commits into
from

Projects

None yet

6 participants

@dignifiedquire
Member

Update: Added process references
Update: Added sha512 checksums

I've setup a pgp on my yubikey that is used for the code signing process. This process generates pgp signatures for every single tar/zip file and adds them to directory. As in the description explained they can be verified by running

$ gpg --verify file.tar.gz.asc file.tar.gz

if the key is present.

Ref ipfs/go-ipfs#957

References

Key Management

Setup

  • Every developer (currently me) who has the right to sign releases generates a pgp key, stored on dedicated hardware like a yubikey
  • The fingerprint is added to dist.ipfs.io
  • The public key is uploaded to https://pgp.mit.edu/ for ease of distribution

Verification

  • The user who downloads from dist.ipfs.io can fetch the listed public keys listed from https://pgp.mit.edu/ and add them to their keyring
  • The user downloads the signature + file
  • The user uses pgp + signature to verify the file

Checksums

In addition to the signatures there are also file.sha files containing the sha512 checksum of the packages.

@Kubuxu Kubuxu commented on an outdated diff Feb 8, 2016
site/public/_about.md
@@ -16,3 +16,21 @@ page with,
The `All Versions` link on each distribution shows directory listings for all the available versions, and a `versions` file ([example](http://dist.ipfs.io/go-ipfs/versions)). This file can be used by tools, such as [ipfs-update](#ipfs-update), to find all the available versions and download the latest.
The directory listing of each version ([example](http://dist.ipfs.io/go-ipfs/v0.3.11)) has all the platform archives (`.zip` or `.tar.gz`), a `README.md` and a `dist.json` which describe the release for humans and machines. It is meant to be easily consumed and used by tools.
+
+##### Code Signing
+
+All releases are signed using [OpenPGP](http://www.openpgp.org/). You can verify this by running
+
+```bash
+$ gpg --verify go-ipfs.tar.gz.asc go-ipfs.tar.gz
+```
+
+You will need to download the public key of the release managers, which are currently,
+
+* Friedel Ziegelmayer <dignifiedquire@gmail.com> [`27F50659`](https://pgp.mit.edu/pks/lookup?search=0x27F50659&op=vindex&fingerprint=on).
@Kubuxu
Kubuxu Feb 8, 2016 Member

It would be better to have full fingerprint here. Short ones are not so good any more.

@dignifiedquire
Member

sure, curious why are they not good anymore?

@Kubuxu
Member
Kubuxu commented Feb 8, 2016

There is a list of keys for all short fingerprints generated, if someone will not look at the name and email there is a chance he will download a wrong one from the keyserver.

@dignifiedquire
Member

thanks @Kubuxu will update with this in mind

@dignifiedquire dignifiedquire referenced this pull request in ipfs/pm Feb 8, 2016
Closed

Sprint: February 1 #88

@jbenet
Member
jbenet commented Feb 8, 2016

Would be nice to have multiple sigs here (like say @whyrusleeping and i both signing off to a release)

@jbenet
Member
jbenet commented Feb 8, 2016

@dignifiedquire thank you for leading the charge here! 👍 ❤️

@dignifiedquire
Member

@jbenet yes need more sigs for sure, but I don't have yours lying around ;) So @jbenet @whyrusleeping please make a PR adding your sigs in here, preferably from a key on your yubikey

@dignifiedquire
Member

TODO from my side, write up general strategy for review

This was referenced Feb 10, 2016
@dignifiedquire
Member

@jbenet added first draft of a security doc describing the different parts.

dignifiedquire added some commits Feb 8, 2016
@dignifiedquire dignifiedquire feat: Setup code signing for all packages using opgenpgp 3016580
@dignifiedquire dignifiedquire feat: Generate sha512 checksum f369b6e
@dignifiedquire dignifiedquire Use full fingerprints 038207b
@dignifiedquire dignifiedquire Add draft of signing document
01713d8
@dignifiedquire dignifiedquire commented on the diff Feb 15, 2016
SIGNING.md
+The command for doing this is
+
+```bash
+$ gpg --armor --output $original_file.asc --detach-sig $original_file
+```
+
+## Trusted Developer Keys
+
+These keys are the ones used to sign tarballs and used to verify their integrity.
+
+### Required properties of the keys
+
+* The private key MUST be stored on seperate hardware than the computer used to sign
+ the release. For convenience something like a [YubiKey](https://www.yubico.com/)
+ is recommended.
+* The key must have a length of at least `2048` bits and of type RSA.
@dignifiedquire
dignifiedquire Feb 15, 2016 Member

I know that generally keys above 4096 should be used, but right now I haven't found a way to generate those keys on my yubikey. So if someone knows how please let me know and we can increase this.

@Kubuxu
Kubuxu Feb 15, 2016 Member

Only Yubikey 4 and 4 Nano support RSA 4096 and even not all of them IIRC.

@Kubuxu
Kubuxu Jul 18, 2016 Member

We use Neo which supports only 2048.

@Kubuxu Kubuxu commented on the diff Feb 15, 2016
SIGNING.md
+In order to ensure that downloaded binaries are not compromised we provide
+two ways of checking the integrity of the downloaded files.
+
+In the following the reference to "tarball" means either a `zip` or `tar.gz` file
+depending on the target operating system.
+If not stated otherwise "key" refers to a public/private key pair usable for public
+key cryptography.
+
+## 1. `SHA512` Checksum
+
+After the tarball was created, [`gpg`](https://gnupg.org/) is used to generate
+the `SHA512` checksum of the tarball and put into a file called `$original_file.sha`.
+The command for doing this is
+
+```bash
+$ gpg --print-md SHA512 $original_file> > $original_file.sha
@Kubuxu
Kubuxu Feb 15, 2016 Member

How about quoting $original_file and original_file.sha?
I know it is only sample but it is good practice.

@Kubuxu Kubuxu commented on the diff Feb 15, 2016
site/public/_about.md
+
+All releases are signed using [OpenPGP](http://www.openpgp.org/). You can verify this by running
+
+```bash
+$ gpg --verify go-ipfs.tar.gz.asc go-ipfs.tar.gz
+```
+
+You will need to download the public key of the release managers, which are currently,
+
+* Friedel Ziegelmayer <dignifiedquire@gmail.com> [`E2C5 3DFE 7CBA 9864 38B9 88D9 0741 3B8A 27F5 0659`](https://pgp.mit.edu/pks/lookup?search=0xE2C53DFE7CBA986438B988D907413B8A27F50659&op=index&fingerprint=on&exact=on).
+
+The command for this is
+
+```bash
+$ gpg --keyserver pgpkeys.mit.edu --recv-key <keyid>
+```
@Kubuxu
Kubuxu Feb 15, 2016 Member

Instead of doing this, which means that user has to import the key and will get warning that files are signed by key he doesn't trust. We could use gpgv/gpgv2 and custom keyring file. See: http://unix.stackexchange.com/a/78476

@dignifiedquire
dignifiedquire Feb 15, 2016 Member

So we would distribute a keyring file which includes all the trusted keys? How would we best do that?

@Kubuxu
Kubuxu Feb 15, 2016 Member

Including keyring/IPFS hash with previous distribution wouldn't be that bad of an idea.

Other option is just direct /ipfs/ link on website.

@diasdavid
Member

is it > >?

Member

yeah, theres an extra wocka there

@RichardLitt RichardLitt commented on the diff Feb 16, 2016
SIGNING.md
@@ -0,0 +1,56 @@
+# Signing and Security
+
+In order to ensure that downloaded binaries are not compromised we provide
+two ways of checking the integrity of the downloaded files.
+
+In the following the reference to "tarball" means either a `zip` or `tar.gz` file
+depending on the target operating system.
+If not stated otherwise "key" refers to a public/private key pair usable for public
@RichardLitt
RichardLitt Feb 16, 2016 Member

If not stated otherwise**,** "key

@RichardLitt RichardLitt commented on the diff Feb 16, 2016
SIGNING.md
@@ -0,0 +1,56 @@
+# Signing and Security
+
+In order to ensure that downloaded binaries are not compromised we provide
+two ways of checking the integrity of the downloaded files.
+
+In the following the reference to "tarball" means either a `zip` or `tar.gz` file
+depending on the target operating system.
+If not stated otherwise "key" refers to a public/private key pair usable for public
+key cryptography.
+
+## 1. `SHA512` Checksum
+
+After the tarball was created, [`gpg`](https://gnupg.org/) is used to generate
+the `SHA512` checksum of the tarball and put into a file called `$original_file.sha`.
@RichardLitt
RichardLitt Feb 16, 2016 Member

and then it is put into

@jbenet
jbenet Feb 23, 2016 Member
  • use .sha256 extension
  • Why not use the multihash tool? that way we can ratchet it up.
@RichardLitt
Member

LGTM.

@jbenet jbenet commented on the diff Feb 23, 2016
SIGNING.md
@@ -0,0 +1,56 @@
+# Signing and Security
+
+In order to ensure that downloaded binaries are not compromised we provide
+two ways of checking the integrity of the downloaded files.
+
+In the following the reference to "tarball" means either a `zip` or `tar.gz` file
@jbenet
jbenet Feb 23, 2016 Member

use "archive"

@jbenet jbenet commented on the diff Feb 23, 2016
SIGNING.md
+```bash
+$ gpg --armor --output $original_file.asc --detach-sig $original_file
+```
+
+## Trusted Developer Keys
+
+These keys are the ones used to sign tarballs and used to verify their integrity.
+
+### Required properties of the keys
+
+* The private key MUST be stored on seperate hardware than the computer used to sign
+ the release. For convenience something like a [YubiKey](https://www.yubico.com/)
+ is recommended.
+* The key must have a length of at least `2048` bits and of type RSA.
+* The public key MUST be uploaded to https://pgp.mit.edu/.
+* The full fingerprint MUST be listed on the distributions page.
@jbenet
jbenet Feb 23, 2016 Member
  • it is good to allow users to verify using standard procedures.
  • it would be nice to provide our own route with our own tools. put the keys themselves in the distributions page, distribute the public keys along in the git repo and in the distributions ipfs dag. both are merkle-dags, if there's changes / conflicts, we've got more serious issues.
@RichardLitt RichardLitt referenced this pull request in ipfs/ipfs Mar 5, 2016
Open

IPFS Weekly Updates #151

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment