Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify gpg verification #11063

Closed

Conversation

hasufell
Copy link

@hasufell hasufell commented Oct 7, 2021

Some docker image developers not understanding what a hash function is have previously told me my installer has to gpg-verify all the tarballs instead of their checksums.

Of course that's nonsense, because then the internet, all distros (including ubuntu) and even blockchains in this world would be broken.

Adding this as a note here should silence this.

Thanks.

@hasufell hasufell force-pushed the clarify-gpg-verification branch 2 times, most recently from 7823d46 to 3104b3a Compare October 7, 2021 21:00
@hasufell hasufell force-pushed the clarify-gpg-verification branch from 3104b3a to 5f0ec56 Compare October 7, 2021 21:01
@tianon
Copy link
Member

tianon commented Oct 8, 2021

I agree with your premise, but your tone isn't exactly welcoming -- please try to show a bit more empathy if you wish to continue collaborating in this project. Our goal with this section of documentation is to educate and inform, not to "silence".

If we're going to add a note about this, I think we should be more specific -- for example, verifying the signature on an MD5 checksum is not really as strong as one on SHA256 (to put another way, the checksum needs to be "cryptographically secure" as well).

I also think this addition should be up a bit higher (not hiding in one of the examples); perhaps something like this:

The purpose in recommending PGP signature verification ...

**Note:** it is not strictly necessary to have a signature on each of the individual downloaded artifacts -- if there is a signature on something like a `SHA256SUMS` file (where the checksum is a secure ["cryptographic hash"](https://en.wikipedia.org/wiki/Cryptographic_hash_function) like SHA256 and notably NOT MD5 or SHA1), then it is cryptographically sufficient to verify the signature on that file and then verify that checksum on the downloaded file.  It is still recommended to embed the full checksum in the `Dockerfile`, as explained in the following paragraph.

The purpose in recommending checksum ...

Below are some examples:

However, to properly do it "justice" it ends up getting a bit wordy -- perhaps there's a decent guide or article someone has written elsewhere that we could link to instead of including all this detail here?

(Otherwise I'd probably prefer to punt this addition to be part of #6282 instead so we can have something like a dedicated file to describe low-level details like this better and keep the high-level overview short.)

@hasufell
Copy link
Author

hasufell commented Oct 8, 2021

However, to properly do it "justice" it ends up getting a bit wordy -- perhaps there's a decent guide or article someone has written elsewhere that we could link to instead of including all this detail here?

(Otherwise I'd probably prefer to punt this addition to be part of #6282 instead so we can have something like a dedicated file to describe low-level details like this better and keep the high-level overview short.)

Could you clarify whether you're interested in me improving this PR? And if so what exactly do you need?

I don't know of any guide explaining PGP+hash use. It's somewhat basic cryptography knowledge.

@tianon tianon mentioned this pull request Oct 11, 2021
15 tasks
@tianon
Copy link
Member

tianon commented Oct 11, 2021

Honestly, I don't have a really strong opinion on the best way to incorporate this yet. I was hoping we could discuss it a bit more and help tip the scales, but it sounds like you're not up for that (which is totally fair).

Given that, I'm going to add this to the backlog, and we'll come back to it later; thanks for the suggestion!

@hasufell hasufell closed this Oct 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants