Document the release signature public key #121
Comments
|
Oh, sorry, it's my personal GPG key: It's the same one we're using for restic's releases. I have ideas to move to something else, like Does that help? |
|
Hey, thanks for clarifying! I initially created this issue because I think it is helpful to document this in the README.md or something like that, but I wasn't sure how this ties into the restic documentation itself, so I didn't specify this further. This solves this for me and at least will turn up in searches, so I guess this can be closed for now. Thanks again! |
palbr
added a commit
to palbr/restic
that referenced
this issue
Dec 13, 2020
I like the idea of verifying the integrity of applications, I download from the internet. So I was very happy to see that restic does provide SHA256-checksums which are signed with the maintainers PGP key. The only thing I miss: I could not find a direct way to download the used PGP key and verify the keys fingerprint. Doing some searches, I found: * restic/rest-server#121 * https://restic.net/blog/2015-09-16/verifying-code-archive-integrity/ To help other restic users, I think you should add information about your PGP key/fingerprint to this installation doc, too. To save you some precious time, I created a draft, how this doc might be expanded, in this pull-request. You are free to accept it or change the text to your liking. I copied the key/fingerprint text from: ``restic/restic/master/doc/090_participating.rst`` Thank you for your work in restic!
5 tasks
metalsp0rk
pushed a commit
to metalsp0rk/restic
that referenced
this issue
Dec 7, 2021
I like the idea of verifying the integrity of applications, I download from the internet. So I was very happy to see that restic does provide SHA256-checksums which are signed with the maintainers PGP key. The only thing I miss: I could not find a direct way to download the used PGP key and verify the keys fingerprint. Doing some searches, I found: * restic/rest-server#121 * https://restic.net/blog/2015-09-16/verifying-code-archive-integrity/ To help other restic users, I think you should add information about your PGP key/fingerprint to this installation doc, too. To save you some precious time, I created a draft, how this doc might be expanded, in this pull-request. You are free to accept it or change the text to your liking. I copied the key/fingerprint text from: ``restic/restic/master/doc/090_participating.rst`` Thank you for your work in restic!
MichaelEischer
pushed a commit
to MichaelEischer/restic
that referenced
this issue
Dec 27, 2021
I like the idea of verifying the integrity of applications, I download from the internet. So I was very happy to see that restic does provide SHA256-checksums which are signed with the maintainers PGP key. The only thing I miss: I could not find a direct way to download the used PGP key and verify the keys fingerprint. Doing some searches, I found: * restic/rest-server#121 * https://restic.net/blog/2015-09-16/verifying-code-archive-integrity/ To help other restic users, I think you should add information about your PGP key/fingerprint to this installation doc, too. To save you some precious time, I created a draft, how this doc might be expanded, in this pull-request. You are free to accept it or change the text to your liking. I copied the key/fingerprint text from: ``restic/restic/master/doc/090_participating.rst`` Thank you for your work in restic!
mfrischknecht
pushed a commit
to mfrischknecht/restic
that referenced
this issue
Jun 14, 2022
I like the idea of verifying the integrity of applications, I download from the internet. So I was very happy to see that restic does provide SHA256-checksums which are signed with the maintainers PGP key. The only thing I miss: I could not find a direct way to download the used PGP key and verify the keys fingerprint. Doing some searches, I found: * restic/rest-server#121 * https://restic.net/blog/2015-09-16/verifying-code-archive-integrity/ To help other restic users, I think you should add information about your PGP key/fingerprint to this installation doc, too. To save you some precious time, I created a draft, how this doc might be expanded, in this pull-request. You are free to accept it or change the text to your liking. I copied the key/fingerprint text from: ``restic/restic/master/doc/090_participating.rst`` Thank you for your work in restic!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for the 0.10.0 release! I was wondering what public key is used to sign the checksums of the release files. Right now I'm only checking the hash of the downloaded source file in my Dockerfile, but I'd prefer simply verifying the signature of the
SHA256SUMS.ascfile. I looked around for a bit, but couldn't find anything on which public key is used to sign the file.What should rest-server do differently?
It should document which public key to use to verify release binaries via the
SHA256SUMS.asc.What are you trying to do? What is your use case?
I'm verifying the authenticity of downloaded files on automated Docker builds. Right now, I always have to update the version/git ref, check the source archive for potentially malicious changes and update the source archive hash in the Dockerfile. If I'd have a trusted public key, I'd only need to update the version code and the build should succeed without any further changes because I can (more or less 😉) trust, that the release was done by an actual maintainer.
Sidenote: I'm by no means suggesting that the releases are not trustworthy! This would simply be a much more solid way to build my containers. Apologies if I simply missed the documentation of the public key.
The text was updated successfully, but these errors were encountered: