New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Procedure for verification of release files lacks verification of public key #2876
Comments
Thanks @cardil will investigate |
The question would be: How users can make sure the public key they are downloading is valid? If attacker can replace release files, surly he can also craft a public key, or make changes to the website. Cosign keyless mode solves this issue by utilizing rektor log. Gpg public keys can be stored on keys.opengpg.org and search by email, and that gives quite strong signal the key is valid. |
I know, this is what we're using, but for some reason it isn't allowing verify-blob without the public key you can verify it with rekor-cli if you know the uuid: rekor-cli get --uuid 190dbbf9ffc81cc77508cbdf3026a9acac00a879a70da8e67642d91e5221c063 --format=json |
jq -r .Body.HashedRekordObj.signature.publicKey.content |
base64 -d |
openssl x509 -text -noout
# or
cat checksums.txt.pem |
base64 -d |
openssl x509 -text -noout see sigstore/cosign#1406 for more info |
Your problem might be the same, as I had. It turns out there are 2 types of signatures (keyless, and keyful) and the proper one needs to be used for keyless mode. See: sigstore/cosign#1390. |
hey, I'm using keyless only... |
this is being fixed in upstream cosign sigstore/cosign#2058 cosign will still be needed to verify the signatures though. that said, closing |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
What happened?
The procedure for verification of release files lacks verification of public key:
goreleaser/www/docs/install.md
Lines 156 to 162 in 9cc1bb1
The attacker could easily replace all files, including the public key. Without checking the public key is valid, users can't be sure the downloads are valid. Public key needs to be verified, before being trusted.
Proper procedure should include something like:
How can we reproduce this?
Go to: https://goreleaser.com/install/?h=verify#verifying-the-artifacts
goreleaser version
GoReleaser Check
Search
Code of Conduct
Additional context
No response
The text was updated successfully, but these errors were encountered: