GPG signed verification of releases #1644

issue jamesob openend this issue on December 6, 2024
  1. jamesob commented at 3:11 pm on December 6, 2024: none

    Given the security-critical nature of this project, I think it would be preferable to have GPG-signed hashes available alongside source releases. Right now (AFAICT) this project is hinging completely on Github/HTTPS trust model when retrieving this repo for build and use.

    Obviously the hashes and signatures GPG IDs would have to be posted somewhere aside from Github for full benefit.

    I’m happy to help in whatever manner I can.

  2. real-or-random added the label release on Dec 9, 2024
  3. real-or-random commented at 8:26 am on December 9, 2024: contributor
    Thanks for your feedback. This is a duplicate of #1175.
  4. real-or-random closed this on Dec 9, 2024
  5. jonasnick commented at 9:25 am on December 9, 2024: contributor

    Right now (AFAICT) this project is hinging completely on Github/HTTPS trust model when retrieving this repo for build and use.

    That’s not correct. Release tags are GPG signed.

  6. jamesob commented at 4:27 pm on December 9, 2024: none

    A few notes:

    1. When retrieving release artifacts (.zip or .tar.gz), as far as I can tell there aren’t any signatures attached to those, so unless the git repo is being pulled down there isn’t an easy way to verify.
    2. @jonasnick’s signing key isn’t mentioned anywhere not-Github, so in a sense Github is still a point of failure if e.g. the web UI lies about the GPG ID that Jonas has used for signing.

    Thanks for letting me know that the release tags are signed. Maybe it would be worth mentioning how to verify (git tag -v $TAG) in the README; I can file a PR if you’d like. @jonasnick you also might consider posting your GPG ID somewhere else where your identity is well known, and then mentioning that in the README.

  7. jamesob commented at 4:28 pm on December 9, 2024: none
    Oh, and @jonasnick your key seems expired.
  8. jonasnick commented at 4:50 pm on December 9, 2024: contributor

    @jamesob

    I can file a PR if you’d like.

    This would be great.

    @jonasnick’s signing key isn’t mentioned anywhere not-Github

    It is - for example on GPG keyservers. But where would you expect to find it? In particular, where did you find real-or-random’s and sipa’s keys?

    your key seems expired.

    Doesn’t seem expired to me

     0❯ GNUPGHOME=$(pwd) gpg --keyserver hkps://keys.openpgp.org --recv-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366"
 1gpg: WARNING: unsafe permissions on homedir '/home/me/tmp/tmpbla'
 2gpg: key B1A70E4F8DCD0366: public key "Jonas Nick <jonasd.nick@gmail.com>" imported
 3gpg: Total number processed: 1
 4gpg:               imported: 1
 5❯ GNUPGHOME=$(pwd) gpg --list-keys
 6gpg: WARNING: unsafe permissions on homedir '/home/me/tmp/tmpbla'
 7/home/me/tmp/tmpbla/pubring.kbx
 8-------------------------------
 9pub   rsa4096 2014-10-09 [SC] [expires: 2026-05-07]
10      36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
11uid           [ unknown] Jonas Nick <jonasd.nick@gmail.com>
12sub   rsa4096 2017-06-26 [S] [expires: 2026-05-07]
13sub   rsa4096 2017-06-26 [E] [expires: 2026-05-07]
14sub   rsa4096 2017-06-26 [A] [expires: 2026-05-07]
  9. jamesob commented at 8:02 pm on December 9, 2024: none

    Oh interesting - github thinks it’s expired for some reason.

    image

  10. jamesob commented at 8:07 pm on December 9, 2024: none

    It is - for example on GPG keyservers. But where would you expect to find it? In particular, where did you find real-or-random’s and sipa’s keys?

    Anyone can submit a key with your email address to keyservers, so I’m not sure that counts. I’m not sure where the other guys attest to their GPG IDs, but I like doing so in my Twitter profile. Could be on your website or nostr etc. Presumably anywhere works where people have some rough assurance that the content is controlled by you.

  11. real-or-random commented at 8:09 pm on December 9, 2024: contributor

    Oh interesting - github thinks it’s expired for some reason.

    The revision in @jonasnick’s GitHub profile has expired. The newest revision of the key (probably the one here, though I haven’t verified this) has not expired.

  12. jonasnick commented at 8:54 pm on December 9, 2024: contributor

    Thanks, I updated the key in my github profile.

    Anyone can submit a key with your email address to keyservers,

    Not to keys.openpgp.org at least (if they are honest). If you google my key id, you will find it on my website and nixbitcoin.org. I’ve added it to my twitter bio, although I’m not sure that this will help much unless you already know who I am on twitter and happen to search for my key id there.


jamesob real-or-random jonasnick

Labels
release

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-30 17:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me