Hi, On Tue, Apr 2, 2024 at 2:36 PM Derick Rethans <der...@php.net> wrote:
> On Sat, 30 Mar 2024, Jakub Zelenka wrote: > > > On Sat, Mar 30, 2024 at 7:08 AM Marco Pivetta <ocram...@gmail.com> > wrote: > > > > > > I understand that the XZ project had signed releases too: that still > > > means that downstream consumers would need to trust the release > > > managers anyway, and reproduce the whole chain themselves. > > > > > > I suppose that's part of OP's concern. > > > > > I agree that compromised RM is a problem that we should look into. > > > > We have been actually already discussing something similar. I have > > been thinking about it and it could be potentially used for all > > builds. The idea is that we would setup worklfow on CI that would run > > on tag push and it would call (authenticated https request) > > downloads.php.net server that could do the actual build, sign them and > > return the hashes to the CI job which would display them and do extra > > verification (probably its own build to verify that download server > > work as expected). > > ... > > > It needs more thinking to iron out all details and make sure it is a > > secure but I think it would be something worth to look at. > > I don't mind coming up with an automated way, but we probably should not > use the *downloads* server. All it does is serve files. It has no > compiler or anything else. It's a storage optimised instance with little > CPU. > > Yeah I agree. I originally thought that it would be good to do it on our own server so we can possibly sign it there as well but after thinking about it I rejected that signing idea so there's really no point to do it on our own server. > On CI we already test the builds, what does stop us from also just > having it make the tarball and attach it as an artefact? We can then > setup somethin gon the downloads server to pull these artefacts. In > fact, this is exactly what we're already hoping to do for Windows > downloads too. Having it all in one place is probably even better (and > easier). > > Of course, having CI make the tarballs means we need to trust that CI > isn't compromised ;-). > We will still need RM to sign the build so ideally we should make it reproducible so RM can verify that CI produced expected build and then sign it and just upload the signatures (not sure if we actually need signature uploaded or if they are used just in announcements). I think this should then prevent compromise of the RM and CI unless CI is compromised by RM, of course, but that should be very unlikely. Regards Jakub
