Generate checksum
diegobernardes opened this issue · 7 comments
Could you guys generate the checksum in each release? Something like gosu does
@diegobernardes thanks for the issue! Would you be okay with checksums (e.g. SHA256 for both the binary and the Debian package posted on the GitHub releases page) or would you need actual GPG signatures?
I'm only asking because checksums would be easier to add. I'm happy to GPG-sign any releases with my own key, but we'd probably want to set up a project signing key for when others make a release. And that would be a little harder (but probably not impossible).
@chriskuehl SHA256 is ok, just to verify inside the docker container if everything is fine.
thanks 👍
Signatures are preferable for me if you don't mind. GPG signatures help to verify the author and not just the contents.
If there were a GPG signature I'd use it, but I'm completely fine with SHA256.
The gosu scripts seem simple enough:
We discussed this internally a bit. GPG keys are a bit tricky for us to deal with since we'd have to find a way to securely store/distribute them among team members.
For now we've updated our release steps to also include uploading sha256sums along with the binaries, and I've also uploaded sums for the latest release (1.0.1): https://github.com/Yelp/dumb-init/releases/download/v1.0.1/sha256sums
I hope this will help with most of the concerns about binary integrity.
One way you could handle a team-shared release key is for there to be one key for signing releases. And then each team member having their own GPG keys. Then encrypt the release key with each of the team member's GPG keys. This allows any team member to decrypt the release key when the time comes. I could provide some sample commands if there's any interest.
SHA1's are good enough for me to validate contents as well.