Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Consider signing releases #1463

Open
ottok opened this issue Jan 5, 2025 · 4 comments
Open

Consider signing releases #1463

ottok opened this issue Jan 5, 2025 · 4 comments
Labels
nice Down prioritized

Comments

@ottok
Copy link
Contributor

ottok commented Jan 5, 2025

Thanks for maintaining gitlab-ci-local!

This project uses rich releases at https://github.com/firecow/gitlab-ci-local/releases. Could you please consider also offering signatures alongside the tar.gz and other artifacts in your releases?

It is good practice in open source projects to publish cryptographic signatures alongside the tarball source releases, so that e.g. Linux distributions and other downstreams can use OpenPGP to verify the authenticity of the imported release.

This is not a hard requirement, just nice to have. Managing OpenPGP keys securely requires some effort. A good guide on the topic can be found at https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md/
@firecow
Copy link
Owner

firecow commented Jan 5, 2025
edited
Loading

Please provide a code block that signs and creates the right stuff in https://github.com/firecow/gitlab-ci-local/blob/master/publish-deb.

I already have a PGP key that I use to publish to the debian repository.

@firecow firecow added the nice Down prioritized label Jan 5, 2025
@ottok
Copy link
Contributor Author

ottok commented Jan 5, 2025

The publish-deb seems to be only about generating Debian packages, and the script seems correct.

Currently, the assets your GitHub releases announces are:

Where are these generated?

If I would generate these myself manually I would use the commands:

$ curl -LO https://github.com/firecow/gitlab-ci-local/archive/refs/tags/4.56.2.tar.gz
$ gpg -b --armor 4.56.2.tar.gz
gpg: using "CEE8DA88" as default secret key for signing
$ head 4.56.2.tar.gz.asc
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEmbRSsR88dMO0U+RvvthEn87o2ogFAmd69aAACgkQvthEn87o
2oinKA/+Jwn0BvmI8rnZfL5wab7CjLkchV1qr1wafOn+Ji/CrXDgiUILsTnWNZ/i
...

..but of course I can't reliably verify that curl gave me the authentic sources

@firecow
Copy link
Owner

firecow commented Jan 6, 2025

Ah, the gz files are generated here https://github.com/firecow/gitlab-ci-local/blob/master/package.json#L12

@ottok
Copy link
Contributor Author

ottok commented Jan 7, 2025 via email

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
nice Down prioritized
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ottok @firecow