Procedure for verification of release files lacks verification of public key

[cardil]

What happened?

The procedure for verification of release files lacks verification of public key:

goreleaser/www/docs/install.md

Lines 156 to 162 in 9cc1bb1

	1. Verify the signature:
	```sh
	cosign verify-blob \
	--cert checksums.txt.pem \
	--signature checksums.txt.sig \
	checksums.txt
	```

The attacker could easily replace all files, including the public key. Without checking the public key is valid, users can't be sure the downloads are valid. Public key needs to be verified, before being trusted.

Proper procedure should include something like:

2. Verify the public key fingerprint by running command:

$ base64 -d checksums.txt.pem | openssl x509 -noout -fingerprint
SHA1 Fingerprint=63:44:7F:5F:EE:A7:D9:14:20:B3:22:9F:40:25:BB:94:5D:8B:03:67

How can we reproduce this?

Go to: https://goreleaser.com/install/?h=verify#verifying-the-artifacts

goreleaser version

Do not apply

GoReleaser Check

• goreleaser check shows no errors

Search

• I did search for other open and closed issues before opening this.

Code of Conduct

• I agree to follow this project's Code of Conduct

Additional context

No response

[caarlos0]

Thanks @cardil

will investigate

[cardil]

The question would be: How users can make sure the public key they are downloading is valid? If attacker can replace release files, surly he can also craft a public key, or make changes to the website.

Cosign keyless mode solves this issue by utilizing rektor log.

Gpg public keys can be stored on keys.opengpg.org and search by email, and that gives quite strong signal the key is valid.

[caarlos0]

Cosign keyless mode solves this issue by utilizing rektor log.

I know, this is what we're using, but for some reason it isn't allowing verify-blob without the public key

you can verify it with rekor-cli if you know the uuid:

rekor-cli get --uuid 190dbbf9ffc81cc77508cbdf3026a9acac00a879a70da8e67642d91e5221c063 --format=json |
  jq -r .Body.HashedRekordObj.signature.publicKey.content |
  base64 -d | 
  openssl x509 -text -noout

# or 

cat checksums.txt.pem | 
  base64 -d | 
  openssl x509 -text -noout

see sigstore/cosign#1406 for more info

[cardil]

Your problem might be the same, as I had. It turns out there are 2 types of signatures (keyless, and keyful) and the proper one needs to be used for keyless mode.

See: sigstore/cosign#1390.

[caarlos0]

hey, I'm using keyless only...

[caarlos0]

this is being fixed in upstream cosign sigstore/cosign#2058

cosign will still be needed to verify the signatures though.

that said, closing

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.