Release signing and key ? #3408
Labels
bug
Something isn't working
Comments
|
Could you include more detail here, @nipil ? What exactly are you asking for? If you're looking to verify the integrity of the assets downloaded, you can verify the SHA256 checksum. $ wget https://github.com/gruntwork-io/terragrunt/releases/download/v0.67.7/terragrunt_linux_amd64
$ wget https://github.com/gruntwork-io/terragrunt/releases/download/v0.67.7/SHA256SUMS
$ grep "$(sha256sum terragrunt_linux_amd64 | awk '{print $1}')" SHA256SUMS |
|
Hello
I was looking for something akin to gpg signing (or anything similar, tuf,
cosign) to build an actual *trust* (in the cryptographic sense) instead of
just data *integrity* (i.e. hashes).
The difference being, that with integrity only, anyone with access could
swap/modify both the binary and the hash, without anyone seing anything
(aka provider-in-the-middle attack, or insider attack, etc). With signing,
it makes sure that only the ones who have a secret have "stamp" the content
: access alone to the files then becomes "not enough" to plant
bogus-but-hash-correct content. Except it they get acess to your private
key too, of course...
Exemple of other products providing trust : any debian repository requises
a key ring the end user trusts, rclone provides a public key and sign their
sha256sums, or others provide a detached signature for each of the
binary/packaged.
Thanks for your time
Nicolas
Le mar. 17 sept. 2024, 22:02, Yousif Akbar ***@***.***> a
écrit :
… Could you include more detail here, @nipil <https://github.com/nipil> ?
What exactly are you asking for?
If you're looking to verify the integrity of the assets downloaded, you
can verify the SHA256 checksum.
$ wget https://github.com/gruntwork-io/terragrunt/releases/download/v0.67.7/terragrunt_linux_amd64
$ wget https://github.com/gruntwork-io/terragrunt/releases/download/v0.67.7/SHA256SUMS
$ grep "$(sha256sum terragrunt_linux_amd64 | awk '{print $1}')" SHA256SUMS
—
Reply to this email directly, view it on GitHub
<#3408 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABODGW4SADZIQFURVVCNK3TZXCDFPAVCNFSM6AAAAABOHSRIUGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNJWG44TMMJTHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I think we need to re-use the same approach as for engine releases - including GPG signature file for checksums |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Could you add code signing for the hash file, so that we can verify the download with a trust anchor ?
Thanks in advance
The text was updated successfully, but these errors were encountered: