-
-
Notifications
You must be signed in to change notification settings - Fork 837
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cryptograhpically Sign releases #3968
Comments
Many large organizations sign their releases with PGP, and some of them have written best-practices guides based on their experiences, which I recommend looking into:
Please let me know if you have any questions regarding how to generate a PGP signing keypair, safely distribute its public key, sign your packages with this key, and how to document the process for users to cryptographically verify your release's signatures for their authenticity and integrity. |
Although I understand where this is coming from and I certainly agree to improved security. It's one thing to start doing it, it's another to keep doing it. Taking extensions into this is another complexity I won't even want to think about considering they are published and maintained by third parties. Being a small team with only a handful of skills, it might be too far reached to adopt this now. I don't know how the others feel about this, but this would definitely be something for the future and not for now. |
Let's not include extensions in the scope of this ticket. I think you'll find this ticket is very achievable. It should only add a few minutes to your release workflow. Please let me know if I can help in any way, as it's a prereq for our org to have this (and I imagine many other orgs also will skip over Flarum since there's currently no secure way to verify it after download). |
For reference, this is the build script for the packages: https://github.com/flarum/installation-packages/blob/main/bin/build.sh and these are the docs: https://github.com/flarum/docs Feel free to contribute if you would like. |
@SychO9 The signing is done after the build. Can you please tell me which of your team members are responsible for uploading the finished releases? They need to generate PGP keys following best practices, and I'm happy to assist them with this (it's just a few commands that they have to run on their personal machines; I can't do this for you in a PR because private keys should be -- private). Is the Please let me know which team members are responsible for uploading finished flarum releases. |
@maltfield the script is never run by an individual. The script is triggered by an individual or automatically and runs on a github workflow (this is necessary). Private keys are not a problem. GitHub allows storing secrets that can be used in workflows without exposing their values. So feel free to contribute commands there, probably after the Otherwise we'll look into it some point 👍 |
Unfortunately it's not an option to store PGP private keys on GitHub. For release signing to be useful (release signing is done to protect against attacks like infrastructure compromise), the private keys must be stored offline; release signing private keys should not be stored on a server . If the build script is executed in your CI process, then--after a release is made--your release engineers would just need to confirm its integrity, sign it, and then upload the signature to the release. As I said, this process will add a few minutes to your release process. Is your release process documented anywhere? Please let me know which of your team members should be delegated the task of signing flarum releases. |
Michael, We absolutely see the benefit of implementing this, if it would not add another layer of effort or complexity to our current processes. We are not a big software team that can assign such a task to a fixed team member, our core team can be counted on one hand. I understand that others do this and I understand it is wise given it adds another layer of security, but right now we don't have the luxury to commit to this. We will obviously keep this issue open so that it reminds us of taking action. But we will not implement this soon. Please do understand our position on this. With kindest regards, Daniël. |
ok, well, I'm happy to do as much of the work as I can, but obviously you do need to be able to commit to a few hours of initial setup and a few minutes per every release. Generate PGP KeyWhen you have someone who has a few hours to work with me, please have them execute the following on their machine to generate a 4096-bit RSA PGP key pair.
When prompted, specify:
As for the name of the key, you have to decide if you want to have one key shared between all of your release engineers, or if you want to have individual keys for each person. If you want to have one shared key, then I recommend typing If you want individual keys for each person, then type the person's full name for the For the You can leave the Type Finally, type a password that will be used to symmetrically encrypt your private key on-disk. Symmetric encryption is only as good as the password is long. I recommend using a password manager (eg KeyPassXC) to generate (and securely store) a random passprhase that's >= 20 characters long. As an example, see the below execution of the above-listed steps
Share Public KeyThe execution above will generate [a] a private key (that you don't share with anyone or upload to any servers) and [b] a public key (that you share in as many places as possible; users need this to verify signatures made with your private key). Please let me know once your release engineer(s) have generated a PGP key following the above steps. Once you do, execute the following commands and paste them into this ticket.
After you paste the output from the above commands into this ticket, and then I'll be able to submit a PR with all the changes needed to implement this ticket. |
Current Behavior
Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from flarum.org or github.com because the releases are not cryptographically signed.
This makes it hard for flarum users to safely obtain the flarum software, and it introduces them (and potentially their user's data) to watering hole attacks.
Steps to Reproduce
Download Now
Expected Behavior
A few things are expected:
SHA256SUMS.asc
file) along with the release itselfScreenshots
No response
Environment
Everything, all versions. Extensions too.
Output of
php flarum info
Possible Solution
See "Expected Behaviour" Section
Additional Context
No response
The text was updated successfully, but these errors were encountered: