Signed Releases #373
Comments
|
👍 let's do this! |
|
@quantumpacket signed the new release, can you check if it's correct?
https://github.com/ansible-semaphore/semaphore/releases/tag/v2.4.0 Thanks! |
|
The upgrade process does not verify the binary (yet). It needs some thought and added it to roadmap |
|
The tagged release is not being signed: $ git tag -v v2.4.0
object 12fd522b1ac628c44f252b34c56a4286a74f9ecc
type commit
tag v2.4.0
tagger Matej Kramny <matejkramny@*****.com> 1498730263 +0900
v2.4.0 release
error: no signature found
error: could not verify the tag 'v2.4.0'Both I verified all the binaries and they all look good: File: semaphore_darwin_386
gpg: Signature made Thu 29 Jun 2017 07:02:51 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_darwin_amd64
gpg: Signature made Thu 29 Jun 2017 07:02:51 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_freebsd_386
gpg: Signature made Thu 29 Jun 2017 07:02:52 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_freebsd_amd64
gpg: Signature made Thu 29 Jun 2017 07:02:52 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_freebsd_arm
gpg: Signature made Thu 29 Jun 2017 07:02:53 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_linux_386
gpg: Signature made Thu 29 Jun 2017 07:02:53 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_linux_amd64
gpg: Signature made Thu 29 Jun 2017 07:02:54 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_linux_arm
gpg: Signature made Thu 29 Jun 2017 07:02:54 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_netbsd_386
gpg: Signature made Thu 29 Jun 2017 07:02:55 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_netbsd_amd64
gpg: Signature made Thu 29 Jun 2017 07:02:55 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_netbsd_arm
gpg: Signature made Thu 29 Jun 2017 07:02:55 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_openbsd_386
gpg: Signature made Thu 29 Jun 2017 07:02:56 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_openbsd_amd64
gpg: Signature made Thu 29 Jun 2017 07:02:56 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_windows_386.exe
gpg: Signature made Thu 29 Jun 2017 07:02:57 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_windows_amd64.exe
gpg: Signature made Thu 29 Jun 2017 07:02:57 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FDThanks for getting this done. I look forward to the implementation of the upgrade verification. |
is this fixable in any way? I don't use GPG too much, so i'm guessing if you wanted to actually verify that it was signed by (me) then you would have to install something. I'll update my toolchain to sign commits and look into signing the github released source code. |
|
See: https://www.gnupg.org/gph/en/manual/x334.html It just means I have not marked your key as trusted. That's totally up to the end-user as to what level of trust they want to assign to your public key. Ideally we'd exchange keys in person, and based on your level of expertise with GPG I'd change the trust of your key to something more appropriate. Unless someone I have marked as trusted or I, signs your key to "vouch" for it as being your key. Since that's not really feasible in most cases, it's a warning that may be ignored. I would post your key in as many places that can prove you indeed uploaded that key so it can be compared as best as a can be, so an imposter key is not being used. So add your key to your Github account, your website, etc. |
|
could be dealt with by using goreleaser (as well as other distribution methods such as deb/rpm files). So this issue should be dealt with at the point where we refactor the make scripts and build/release process |
|
done in current develop, all test artifacts and releases are signed with the new gpg key |
Right now official releases, which includes upgrades from within Semaphore are served over HTTPS. However, they are not signed using any organization key.
Considering Semaphore will have SSH access to entire server clusters and often with elevated privileges it makes sense to ensure the integrity of the software by signing it. I personally would feel uncomfortable running said software with no method to check that the source had not been tampered with, as HTTPS just does not suffice for that.
Git allows you to sign and verify tagged releases, as well as individual commits.
For package downloads, they should be accompanied with a
*.ascfile. So that users can verify those as well like so:The same verification check should also be done when performing an upgrade from within Semaphore.
Thoughts?
References:
The text was updated successfully, but these errors were encountered: