Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish checksums #799

Closed
1 task
dfreilich opened this issue Aug 12, 2020 · 3 comments · Fixed by #807
Closed
1 task

Publish checksums #799

dfreilich opened this issue Aug 12, 2020 · 3 comments · Fixed by #807
Labels
size/sm Small level of effort type/chore Issue that requests non-user facing changes.
Milestone
0.15.0

Comments

@dfreilich
Copy link
Member

Description

I would like to have proof that the pack releases on my system are the ones released by the Buildpacks organization.

Proposed solution

When releasing pack releases, we should publish checksums of the artifacts (sha256), and sign the artifacts as well (using PGP signing).

Describe alternatives you've considered

Additional context

  • This feature should be documented somewhere
@dfreilich dfreilich added type/enhancement Issue that requests a new feature or improvement. status/triage Issue or PR that requires contributor attention. size/sm Small level of effort and removed status/triage Issue or PR that requires contributor attention. labels Aug 12, 2020
@dfreilich dfreilich added this to the 0.13.0 milestone Aug 12, 2020
@jromero jromero added type/chore Issue that requests non-user facing changes. and removed type/enhancement Issue that requests a new feature or improvement. labels Aug 12, 2020
@dfreilich
Copy link
Member Author

This has been an open issue in K8s (kubernetes/release#914) as well for a while, with a bunch of useful links posted. Some of the tools we may want to consider are:

  • minisign (mentioned here)
  • tuf (CNCF graduated) – Framework to secure software update systems

goreleaser seems like a really helpful tool to remove some of the complexity around releasing, but I'm not sure it's necessary for us

Initially, I'll work towards adding 2 new files per each release artifact:

  1. pack-X.....sha256 (sha256 checksum)
  2. pack-X.....asc (gpg signature)

@dfreilich dfreilich mentioned this issue Aug 18, 2020
Merged
2 tasks
@jromero jromero modified the milestones: 0.13.0, 0.14.0 Aug 19, 2020
@dfreilich dfreilich reopened this Sep 4, 2020
@dfreilich
Copy link
Member Author

The linked PR didn't include PGP signing.

@jromero jromero modified the milestones: 0.14.0, 0.15.0 Sep 30, 2020
@jromero
Copy link
Member

jromero commented Nov 4, 2020

@dfreilich can we create a new issue for that? I feel like it's not as critical given the added complexity.

@jromero jromero closed this as completed Nov 4, 2020
@jromero jromero changed the title Publish checksums/signed releases Publish checksums Nov 4, 2020
@jromero jromero mentioned this issue Nov 4, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
size/sm Small level of effort type/chore Issue that requests non-user facing changes.
Projects
None yet
Milestone
0.15.0
Development

Successfully merging a pull request may close this issue.

Add .sha256 files to releases buildpacks/pack
2 participants
@jromero @dfreilich