-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document Secure Download Verification (Cryptographic Signatures, PGP, GPG) #7257
Comments
Thank you for your comments. You can find my key on
I take your point about uploading it to as many possible places as possible and I need to update the key on my website and make it easier to find. Once thing I was considering was having a separate key for the rclone releases. For a few years at least I'd need to sign the sums with both keys (which I think you can do with gpg). Having a separate key would mean that I could pass on the release role to someone else if necessary. Your thoughts on that would be appreciated. |
Thanks for the quick reply :)
I think it would be a good idea to mint a key that's specific to signing releases from the rclone project. If you do this, please follow best-practices by minting a key that is:
That would be a good idea, but I think it's optional. What is required when changing keys is to write a Ideally you'd give a transition period of 1-6 months where (after you publish the Key Transition Statement), releases are signed by both keys. After that, just sign with your new release key. Riseup has a good guide/template on Key Transition Statements: I also recommend reading their OpenPGP Best Practices Guide Here's an example Key Transition Statement: |
Here's an example of a documentation page that enumerates all the places that a user can download (cross-check) a project's release signing key on TOFU |
Thanks - great links - will study further. The feature Great idea about signing the new key with the old - I should definitely do that with my other gpg key which I use for signing gpg commits on github. I noticed just now you can get keys from GitHub too |
@ncw it's actually not possible for
Note the above output
|
Many large organizations sign their releases with PGP. Here's some other best-practices guides that they've written which you may want to skim. |
I've updated that key - can you check it again for me please? https://www.craig-wood.com/nick/pub/pgp-key.txt Its the same key just format converted. This seems to work when I try it. I've also uploaded to
|
I was able to download the file linked-to above and import it into my GPG keyring on Debian 11. In fact, the file's public key block contains two public keys
The first key The new key |
I'm going to upload a doc which describes the release signing process and how to get and verify the keys as part of the v1.64 release. You'll find links on the downloads and install pages. If you think it needs any changes I'd be grateful for feedback. Thank you for your very informative comments above. |
@ncw Excellent work! Thank you so much for prioritizing this <3 For others, the new documentation can be found here: I have one nitpick: currently it's not clear exactly where to download the (signed) hash files.
I see in the commands that follow a URL is given, but a user won't be able to use that command unless they already have Perhaps you can make |
Those rclone commands wlll translate very easily to
Good idea. Do you want to send a PR to adjust any / all of that? This is the master file https://github.com/rclone/rclone/blob/master/docs/content/release_signing.md (nothing else needs editing). You can even edit in the browser - click the pencil icon! |
This ticket is a request to:
Why?
It's possible for a very powerful adversary to comprimise your release infrastructure (or the infrastructure between the server and the client) and get a new rclone user to download a malicious version of the release, signature, and the release signing key -- but it's exponentially more difficult for them to comprimise multiple distinct domains.
Here's a great list of historically relevant cases where this has already happened to other open-source projects:
This risk can nearly be completely eliminated by uploading your key to as many distinct domains as possible.
Part One: Making key available out-of-band
GitHub
Please upload your public key to some connoncial URL of one of your github repos. I'd suggest using a
KEYS
file in the root of yourrclone
repo, per the Apache standardrclone.org
Please upload your public key to some permalink on your website.
/KEYS
or/key.txt
would be a reasonable location.craig-wood.com
SKS Keyservers
Please upload your key to an SKS keyserver. For example:
https://keys.openpgp.org/
keys.openpgp.org is a newer keyserver that doesn't sync with the others, and it strips UIDs and signatures by default for privacy and to resist certificate spamming attacks
Please upload your PGP key to keys.openpgp.org
Twitter
Please add your public keys' full fingerprint to the account description of your twitter account
reddit
Please add your public keys' full fingerprint to the sidebar of your subreddit:
Other domains
I do recommend adding your key to as many other domains as possible, including:
The more domains you upload it to, the better.
Part Two & Three: Documenting it
After uploading your public key and/or full fingerprint to as many distinct domains as possible, please update the project's documentation to enumerate all of these locations and write a paragraph describing how the user can mitigate the risk of compromised infrastructure by cross-checking the integrity of the key across multiple domains.
The above pages should also document how a user can use GPG to verify that a given release is cryptographically authentic after downloading it.
The text was updated successfully, but these errors were encountered: