Signed Releases
quantumpacket opened this issue · 8 comments
Right now official releases, which includes upgrades from within Semaphore are served over HTTPS. However, they are not signed using any organization key.
Considering Semaphore will have SSH access to entire server clusters and often with elevated privileges it makes sense to ensure the integrity of the software by signing it. I personally would feel uncomfortable running said software with no method to check that the source had not been tampered with, as HTTPS just does not suffice for that.
Git allows you to sign and verify tagged releases, as well as individual commits.
git init
git clone https://github.com/ansible-semaphore/semaphore.git
git tag -v TAG_NAME
For package downloads, they should be accompanied with a *.asc
file. So that users can verify those as well like so:
wget https://github.com/ansible-semaphore/semaphore/releases/download/vN.N.N/semaphore_linux_amd64
wget https://github.com/ansible-semaphore/semaphore/releases/download/vN.N.N/semaphore_linux_amd64.asc
gpg --verify ./semaphore_linux_amd64.asc ./semaphore_linux_amd64
The same verification check should also be done when performing an upgrade from within Semaphore.
Thoughts?
References:
👍 let's do this!
@quantumpacket signed the new release, can you check if it's correct?
gpg --verify
works on my machine but maybe I should publish the public key somewhere (available here: https://keybase.io/matejkramny).
https://github.com/ansible-semaphore/semaphore/releases/tag/v2.4.0
Thanks!
The upgrade process does not verify the binary (yet). It needs some thought and added it to roadmap
The tagged release is not being signed:
$ git tag -v v2.4.0
object 12fd522b1ac628c44f252b34c56a4286a74f9ecc
type commit
tag v2.4.0
tagger Matej Kramny <matejkramny@*****.com> 1498730263 +0900
v2.4.0 release
error: no signature found
error: could not verify the tag 'v2.4.0'
Both Source code (zip)
and Source code (tar.gz)
on the releases page do not have an accompanying .asc
file. As far as I know Github generates those two files, but you can still add signature files for them, as I've seen other projects do it that way.
I verified all the binaries and they all look good:
File: semaphore_darwin_386
gpg: Signature made Thu 29 Jun 2017 07:02:51 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_darwin_amd64
gpg: Signature made Thu 29 Jun 2017 07:02:51 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_freebsd_386
gpg: Signature made Thu 29 Jun 2017 07:02:52 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_freebsd_amd64
gpg: Signature made Thu 29 Jun 2017 07:02:52 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_freebsd_arm
gpg: Signature made Thu 29 Jun 2017 07:02:53 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_linux_386
gpg: Signature made Thu 29 Jun 2017 07:02:53 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_linux_amd64
gpg: Signature made Thu 29 Jun 2017 07:02:54 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_linux_arm
gpg: Signature made Thu 29 Jun 2017 07:02:54 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_netbsd_386
gpg: Signature made Thu 29 Jun 2017 07:02:55 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_netbsd_amd64
gpg: Signature made Thu 29 Jun 2017 07:02:55 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_netbsd_arm
gpg: Signature made Thu 29 Jun 2017 07:02:55 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_openbsd_386
gpg: Signature made Thu 29 Jun 2017 07:02:56 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_openbsd_amd64
gpg: Signature made Thu 29 Jun 2017 07:02:56 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_windows_386.exe
gpg: Signature made Thu 29 Jun 2017 07:02:57 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
File: semaphore_windows_amd64.exe
gpg: Signature made Thu 29 Jun 2017 07:02:57 AM EDT
gpg: using RSA key 0xDA0642A6671F72FD
gpg: Good signature from "Matej Kramny (new key) <matej@****.me>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0061 1CCB 525F 33EA C7C5 A13B DA06 42A6 671F 72FD
Thanks for getting this done. I look forward to the implementation of the upgrade verification.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
is this fixable in any way?
I don't use GPG too much, so i'm guessing if you wanted to actually verify that it was signed by (me) then you would have to install something.
I'll update my toolchain to sign commits and look into signing the github released source code.
See: https://www.gnupg.org/gph/en/manual/x334.html
It just means I have not marked your key as trusted. That's totally up to the end-user as to what level of trust they want to assign to your public key. Ideally we'd exchange keys in person, and based on your level of expertise with GPG I'd change the trust of your key to something more appropriate. Unless someone I have marked as trusted or I, signs your key to "vouch" for it as being your key.
Since that's not really feasible in most cases, it's a warning that may be ignored. I would post your key in as many places that can prove you indeed uploaded that key so it can be compared as best as a can be, so an imposter key is not being used. So add your key to your Github account, your website, etc.
could be dealt with by using goreleaser (as well as other distribution methods such as deb/rpm files). So this issue should be dealt with at the point where we refactor the make scripts and build/release process
done in current develop, all test artifacts and releases are signed with the new gpg key