Description
- This issue is blocking
- This issue is causing unreasonable pain
Currently, the zip/tars produced are not signed so tools like the install tool cannot check those on download. We have plans for a new acquisition experience through the CLI that will target the zip installers but we require a mechanism of verifying the bits we are downloading:
dotnet/designs#335
One option would be to sign the releases.json file but the problem there is any users not using that json would not get value out of this solution. https://github.com/dotnet/release/issues/1077
Another option would be to create nupkgs that we put the zip files in and sign those but that would require a lot of the SDK infrastructure to be able to call and download those nuget packages and it would not be supportable in an AOT context.
The best option is to create a signature for the zips themselves. We cannot complete the planned feature without this and this was raised in an early security review of the feature plans.
Ask:
- Add arcade infrastructure to generate a .sig file
- publish the file next to the download (eg. https://builds.dotnet.microsoft.com/dotnet/Runtime/10.0.0-preview.5.25277.114/dotnet-apphost-pack-10.0.0-preview.5.25277.114-linux-arm.tar.gz.sig)
- publish the public key somewhere (releases.json) so we can do a signing check as outlined here but apply it to the install scripts and proposed SDK acquisition: https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-install-script#signature-validation-of-dotnet-installsh
- Only do this for .NET 10
Non-goals
- downlevel in support zips
- out of support zips