Hi Abhijith,
I think you need to read about chains of trust. Everything that you
suggest below is at best hiding what you are downloading from an
observer. It doesn't stop man in the middle attacks or guarantee that
the contents were not corrupted during transit.
As James suggested all you need to do is convince yourself that
Kohsuke's public PGP key is actually his. Once you have done that you
can verify that the signed release is actually what Kohsuke meant to
release.
How paranoid you are is really up to you. You could just trust the key
that is publicly posted by Kohsuke, attempt to verify the key via a web
of trust, or even try to convince Kohsuke to meet you in person to
verify the key.
Really I suspect that most of that is just overkill. You just need to
ensure that you have a repeatable build environment where you have a
reasonable level of trust that the software you downloaded is fit for
purpose. Many Linux OS distributions (Debian for example) have all of
the individual packages are linked back to a widely published central
key allowing you to detect any tampering in transit.
The same applies to any commercial arrangements with appropriate
software suppliers. You would need to get & trust a public key from them
to allow you to verify that you receive exactly what was intended to be
sent.
Regards
Richard
On 15/01/2014 22:27, abhijith chandrashekar wrote:
Thanks Tielo. Although I do think downloading sources and inspecting
them would not only be overkill, but also not a foolproof way of
ensuring security. What if the source files are mangled during download?
The only few ways I can think of are
1. to get the binaries and keys/hashes over PGP email from somebody on
the inside
2. obtain it over HTTPS on their website
3. using SFTP or
4. by having someone on the inside ship a DVD that contains the binary +
public key.
I'm trying other avenues (CloudBees, for example) but there do not seem
to be any provisions to do this.
Thanks,
Abhijith
On Mon, Jan 13, 2014 at 1:46 AM, teilo <teilo+goo...@teilo.net
<mailto:teilo+goo...@teilo.net>> wrote:
On Sunday, 12 January 2014 22:20:17 UTC, Abhijith Chandrashekar wrote:
> Of course, you'd need a secure way to make sure it's actually
his signature, but that should be easier than changing the
entire distribution chain.
That's exactly the problem. Any ideas on how I can do that?
Thanks,
Abhijith
http://kohsuke.org/about/pgp/
But if you are that security paranoid then you should download the
sources, inspect them (and the history) and then compile them
yourself every release (like you do for all the plugins right!?).
/James
--
You received this message because you are subscribed to a topic in
the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/jenkinsci-users/3O8vpxrWZH8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
jenkinsci-users+unsubscr...@googlegroups.com
<mailto:jenkinsci-users%2bunsubscr...@googlegroups.com>.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google
Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to jenkinsci-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "Jenkins
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
