I'd say that is a good idea. Pgp sign the sha256 hash of the release tarball. And make that a manual process controlled by release engineers. Perhaps also sign the sha1 state of the got repos at releases too On 12 Mar 2014 17:25, "Matt Clay" <[email protected]> wrote:
> Perhaps you could use GnuPG to sign releases like is done for the Linux > kernel sources? > > https://www.kernel.org/signature.html > > - Matt > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Edward Ned Harvey (mono) > Sent: Wednesday, March 12, 2014 4:00 AM > To: Ian Norton > Cc: [email protected]; monolithic1 > Subject: Re: [Mono-list] Not able to verify integrity of download > > > From: Ian Norton [mailto:[email protected]] > > Sent: Tuesday, March 11, 2014 2:29 AM > > > > I think our friend is wondering if our stable archive is trusted. if > > someone hasn't snuck in and inserted some nasty in the released tarball. > > I for one think that xamarin really really need to sha2 and sign the > > released stable sources! > > So - How does that work? The two things I usually see are either: > On the website, they give you a download link for a file, and they also > tell you the MD5 and SHA1 sums of the file... > or > You download something like a .msi or .exe, and your browser does a > security scan, and upon launch, it does another security scan, and verifies > all the codesigning signatures... > > So my question for you guys is, what do you want to see? The way I see > it, posting the MD5 or SHA1 on the website does not help protect you > against malicious person hacking up the website. Because they'll just > update the sums to match their infected tarball. > > Code signing is very nice, because the software publisher must jump > through trusted root CA verification, proof of control of the organization, > etc, and the publisher has a private key, so even if somebody hacks up the > website, they still cannot fake a valid signed file. So the recipient will > be able to detect the malicious behavior. (Invalid code signing cert, or > not signed at all.) > > But I'm not aware of any way to do code signing on the source tarball, etc. > _______________________________________________ > Mono-list maillist - [email protected] > http://lists.ximian.com/mailman/listinfo/mono-list >
_______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
