-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider signing release source tarballs #3024
Comments
We already sign our git tags, and since the SHA of a git tag depends on its content, that carries the same information as a signed source tarball. Verifying the content of the source tarball that github generates sounds like a significant extra step in our release process, and I am not enthusiastic about adding more steps to our already cumbersome release process - particularly given the information requested already appears to be available, and this appears to be working around deficiencies in downstream release tools/processes. I'm open to being convinced, though... |
@richvdh Unless I’m wrong, this means you’re asking to pull the whole git tree just for verifying one tag signature. This might be significantly larger in size than just the source release tarball. Also, building a package from a git tag is not recommended generally, because then the tag could be changed upstream (so here in this case) without notice. Even if we do trust you in not mangling with this, we just prefer having this supplemental layer of security. ;) |
You can get git to just clone the source for the tag in question, with
I'm unclear why changing a tag (and resigning) is a bigger risk than changing the source tarball (and re-signing that)? |
OK, wasn’t knowing about --depth, clear enhancement here. It still makes the build process depending on git however, something I would avoid ideally (for the sake of minimal dependencies), but even would that be fixed here riot build process still implies git anyway (at least for now, but eventually that’s also something I’d like to change — let’s keep it for another ticket).
We hardcode checksums of source tarballs in our PKGBUILDs (see here), so would you change the tarball that would be detected by checksum not matching anymore. Unless you also try hard to get the same checksum, but then the sig file checksum would catch you. I agree that git-pull-from-a-tag checksum is something that could once more be added in our packaging tool, but with git signatures verification not currently accepted (or even discussed by main devs AFAIK), I see this even less likely to land in ArchLinux’s makepkg. And I don’t know about other distros, but I doubt they are a lot with really better handling of this. What I don’t understand is how much cumbersome this looks to you. It seems fairly simple to me, but maybe I’m missing something here. |
Hrm. You could equally well embed the sha of the git tag, so I guess this just comes down to tooling. The only distro I know much about is Debian. As fair as I know they are happy to build from git tags; I think their approach is actually to maintain a fork of the upstream package.
Actually I just saw the "alternative local workflow" at the bottom. That does indeed look simple. |
Yes, that what my next paragraph was about. ;)
Yes, and I would in fact think of it as the default one rather than alternative. Sorry not to have mentioned it explicitly, but glad you found out by ourself and seems to consider it as not too “cumbersome”. ;) |
When we are doing a signed release, also create a sig for the 'archive' tarball which github creates for us. Fixes element-hq/element-web#3024.
release 0.9.7 includes a signature for the source tarball, and I've opened a PR to include it in the release script for future releases, so this will be resolved. However, on reflection, I'm not sure how far it is going to get you. The build process involves lots of other dependencies, which are downloaded by |
@richvdh Thanks for this. :) I agree that the situation with But having riot source release signed is still a gain, and having it already in place for the day I didn’t find your PR though, is the release script handled outside of this repo? |
Yes, see matrix-org/matrix-js-sdk#351 |
Oh and just a thought, why did you add it |
To make it obvious it is for the source, rather than the binary tarball. |
OK, I kinda expected this answer, and I’ll live with that (since I’m not even sure the renaming part we use in our PKGBUILD would work with two files). |
Nevermind, the paths are not even the same:
So this require separate handling anyway. ;) |
@richvdh I don’t know how you’ve generated the one for release 0.9.7, especially what was different w.r.t. https://github.com/matrix-org/matrix-js-sdk/pull/351/files, but I’ve just figured out that every release since 0.9.8-rc.1 included has a mismatching sig for the release tarball (i.e. e.g. https://github.com/vector-im/riot-web/releases/download/v0.9.8-rc.1/v0.9.8-rc.1-src.tar.gz.asc does not verify https://github.com/vector-im/riot-web/archive/v0.9.8-rc.1.tar.gz). I highly suspect |
@dbkr can we fix this for the next release? |
It turns out that what is different is that @dbkr did the last couple of releases, on his Mac, and that his version of gzip generates slightly different things to the linux version, which apparently github use. Releasing on linux isn't an option because building the electron artifacts is too hard there... |
Hum… And I guess that generating the sigs for the source tarball (not the one with electron artifacts) on a different machine is too much burden? I guess so since in the current setup it’s just one more file generated by the release script, while here it would mean doing the release in two steps. |
tested using GNU Gzip on a Mac ( |
We believe this got fixed in matrix-org/matrix-js-sdk#438. Dave just released 0.9.10-rc.1 which has a good source signature. |
Nice, thank you. I especially like the way you where able to solve this with some sort of intermediate way between the two from the Debian wiki. Maybe that could be a nice addition to this one by the way, you might not be the only people with non GNU gzip or producing slightly different tarball. ;) |
Packagers have asked that we pgp-sign source tarballs for our releases.
The text was updated successfully, but these errors were encountered: