-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document the release signature public key #121
Comments
Oh, sorry, it's my personal GPG key:
It's the same one we're using for restic's releases. I have ideas to move to something else, like Does that help? |
Hey, thanks for clarifying! I initially created this issue because I think it is helpful to document this in the README.md or something like that, but I wasn't sure how this ties into the restic documentation itself, so I didn't specify this further. This solves this for me and at least will turn up in searches, so I guess this can be closed for now. Thanks again! |
I like the idea of verifying the integrity of applications, I download from the internet. So I was very happy to see that restic does provide SHA256-checksums which are signed with the maintainers PGP key. The only thing I miss: I could not find a direct way to download the used PGP key and verify the keys fingerprint. Doing some searches, I found: * restic/rest-server#121 * https://restic.net/blog/2015-09-16/verifying-code-archive-integrity/ To help other restic users, I think you should add information about your PGP key/fingerprint to this installation doc, too. To save you some precious time, I created a draft, how this doc might be expanded, in this pull-request. You are free to accept it or change the text to your liking. I copied the key/fingerprint text from: ``restic/restic/master/doc/090_participating.rst`` Thank you for your work in restic!
I like the idea of verifying the integrity of applications, I download from the internet. So I was very happy to see that restic does provide SHA256-checksums which are signed with the maintainers PGP key. The only thing I miss: I could not find a direct way to download the used PGP key and verify the keys fingerprint. Doing some searches, I found: * restic/rest-server#121 * https://restic.net/blog/2015-09-16/verifying-code-archive-integrity/ To help other restic users, I think you should add information about your PGP key/fingerprint to this installation doc, too. To save you some precious time, I created a draft, how this doc might be expanded, in this pull-request. You are free to accept it or change the text to your liking. I copied the key/fingerprint text from: ``restic/restic/master/doc/090_participating.rst`` Thank you for your work in restic!
I like the idea of verifying the integrity of applications, I download from the internet. So I was very happy to see that restic does provide SHA256-checksums which are signed with the maintainers PGP key. The only thing I miss: I could not find a direct way to download the used PGP key and verify the keys fingerprint. Doing some searches, I found: * restic/rest-server#121 * https://restic.net/blog/2015-09-16/verifying-code-archive-integrity/ To help other restic users, I think you should add information about your PGP key/fingerprint to this installation doc, too. To save you some precious time, I created a draft, how this doc might be expanded, in this pull-request. You are free to accept it or change the text to your liking. I copied the key/fingerprint text from: ``restic/restic/master/doc/090_participating.rst`` Thank you for your work in restic!
I like the idea of verifying the integrity of applications, I download from the internet. So I was very happy to see that restic does provide SHA256-checksums which are signed with the maintainers PGP key. The only thing I miss: I could not find a direct way to download the used PGP key and verify the keys fingerprint. Doing some searches, I found: * restic/rest-server#121 * https://restic.net/blog/2015-09-16/verifying-code-archive-integrity/ To help other restic users, I think you should add information about your PGP key/fingerprint to this installation doc, too. To save you some precious time, I created a draft, how this doc might be expanded, in this pull-request. You are free to accept it or change the text to your liking. I copied the key/fingerprint text from: ``restic/restic/master/doc/090_participating.rst`` Thank you for your work in restic!
Thank you for the 0.10.0 release! I was wondering what public key is used to sign the checksums of the release files. Right now I'm only checking the hash of the downloaded source file in my Dockerfile, but I'd prefer simply verifying the signature of the
SHA256SUMS.asc
file. I looked around for a bit, but couldn't find anything on which public key is used to sign the file.What should rest-server do differently?
It should document which public key to use to verify release binaries via the
SHA256SUMS.asc
.What are you trying to do? What is your use case?
I'm verifying the authenticity of downloaded files on automated Docker builds. Right now, I always have to update the version/git ref, check the source archive for potentially malicious changes and update the source archive hash in the Dockerfile. If I'd have a trusted public key, I'd only need to update the version code and the build should succeed without any further changes because I can (more or less 😉) trust, that the release was done by an actual maintainer.
Sidenote: I'm by no means suggesting that the releases are not trustworthy! This would simply be a much more solid way to build my containers. Apologies if I simply missed the documentation of the public key.
The text was updated successfully, but these errors were encountered: