Cryptographically sign source releases

Since Remove GPG signature of released package (b5480ec0bbc8) · Commits · Tryton / Tools / Maintenance · GitLab, there are no more signature for the packages uploaded on https://downloads.tryton.org/.
This may create uncertainty for those who are using this side-channel to get Tryton.

The others channels relies on the security of third party like Docker, Python Package Index or distributions, with the exception of bundle (except flatpak) for which would need to solve Sign build (#8055) · Issues · Tryton / Tryton · GitLab.

So the proposal is to sign again the source files but not using a personal GPG key.
GPG is too complex to use correctly, it is complex to share the signing key between different maintainer and finally rolling the key is neither easy.
Instead the proposal is to use signify (which has portable version).
In order to renew the signing key frequently, a new key is generated for each series and used for the initial release and during the life-time of the series to sign all the bug-fix releases.
The public key for each series is published on the website (in plain text) and also available for downloads on https://downloads.tryton.org/signify/.
The secret keys are kept only by the release manager(s). To ease the release process (avoid passphrase prompt for each package), the keys are stored in plain text but on a encrypted storage.
In case of secret key being compromised for a still maintained series, a new one is generated and new packages will be signed by the new key.
Once in place, all the packages of the currently maintained series will be signed with the new keys.

1 Like

So the download site that is owned (and controlled) by the project is now a ‘side-channel’? Interesting.

Just to understand it correctly:
You feel GPG is too complicated, although it is widely used to sign source packages. Instead you want to replace one public-key system with another public-key system, which is not widespread and not a popular tool in the Linux-world, and by this breaking all the workflows that verify signatures on Tryton-packages.
Just to have one key per major release, which I assume can be managed with GPG as well.
Is this understanding about right?

1 Like