Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign released binaries using PGP #934

Open
jromero opened this issue Nov 4, 2020 · 9 comments
Open

Sign released binaries using PGP #934

jromero opened this issue Nov 4, 2020 · 9 comments
Labels
size/md Medium level of effort status/ready Issue ready to be worked on. type/chore Issue that requests non-user facing changes.

Comments

@jromero
Copy link
Member

jromero commented Nov 4, 2020

Deferred from #799

Description

I would like to have proof that the pack releases on my system are the ones released by the Buildpacks organization.

Proposed solution

When releasing pack releases, we should sign the artifacts, using PGP signing.

@jromero jromero added type/chore Issue that requests non-user facing changes. status/triage Issue or PR that requires contributor attention. labels Nov 4, 2020
@jromero jromero added size/md Medium level of effort and removed status/triage Issue or PR that requires contributor attention. labels Mar 3, 2021
@jromero jromero added this to the 0.19.0 milestone Mar 3, 2021
@jromero jromero added the status/ready Issue ready to be worked on. label Mar 3, 2021
@dfreilich dfreilich modified the milestones: 0.19.0, 0.20.0 Jun 15, 2021
@jromero jromero modified the milestones: 0.20.0, 0.21.0 Jul 14, 2021
@importhuman
Copy link
Member

Is there any preference for either minisign (mentioned in #799) or the OpenPGP standard? Haven't worked out how either would be used, but wanted to know before I started. Also, I couldn't confirm whether minisign uses GPG/PGP keys, in case it's relevant.

@sambhav
Copy link
Member

sambhav commented Aug 26, 2021

Would it be better to use cosign? We already use it for signing lifecycle images. FWIW We can also use it with goreleaser now https://goreleaser.com/customization/sign/

(goreleaser also allows for gpg signing)

@jromero jromero modified the milestones: 0.21.0, 0.22.0 Sep 1, 2021
@jromero jromero removed this from the 0.22.0 milestone Oct 26, 2021
@inglor
Copy link

inglor commented Apr 22, 2024

Any progress on this?

@jjbustamante
Copy link
Member

Hi @inglor

No yet, I talked with @natalieparellano in the past because we did something similar for lifecycle and I think we can do it for pack too. I think I can work on this for pack 0.35 or 0.36

@inglor
Copy link

inglor commented Apr 22, 2024

Cosign is regarding the releases already build images you publish. I'm talking about how does downstream systems certify the tag in the git repository is indeed a tag created by the developers of the project. By signing the git tag (similar to how you already do your commits) downstream systems can individually certify these tags were indeed done by the said developer who is part of the project's release individuals.

A simple GPG sign of the tag and a list of PGP public keys who has access/permission to publish releases in the <root> of the repository (usually named KEYS) is enough for now. That is some effort from developers but if this is shared by a trusted small circle is OK and to my view is less effort from cosigning.

edit: I had initially misunderstood the cosigning part, now corrected it.

@natalieparellano
Copy link
Member

Just to be clear I think there are 3 separate things we will want to sign:

I think we will want to do all of these. Some are more effort than others, but they are all quite achievable and we should prioritize them. We should have parity across pack and the lifecycle.

@inglor
Copy link

inglor commented Apr 22, 2024

@natalieparellano

Thanks for the summary. I think you are correct and I'm mostly interested in 1st item from the list.

I had risen #2138 before I closed it in favour of this when I misunderstood the cosigning procedure. Would you like me to reopen or track everything here as one item concerning signing?

@natalieparellano
Copy link
Member

Would you like me to reopen or track everything here as one item concerning signing?

@jjbustamante WDYT? One issue per thing being signed might be easier to track IMO

@jjbustamante
Copy link
Member

Yes, I agree on having issue per artifact to be signed. @inglor we can re-open #2138 I think

@natalieparellano natalieparellano added status/ready Issue ready to be worked on. and removed status/ready Issue ready to be worked on. labels Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
size/md Medium level of effort status/ready Issue ready to be worked on. type/chore Issue that requests non-user facing changes.
Projects
None yet
Development

No branches or pull requests

7 participants