Update Readme section on verifying signatures

[MylesBorins]

EDIT:

We now generate detached signatures for all release lines. There is no documentation on how to verify this. An update to the Readme would be great!

---

Original

The current process for verifying releases is outputting a warning

gpg: Signature made Thu May  5 17:56:43 2016 CDT using RSA key ID 4C206CA9
gpg: Good signature from "Evan Lucas <evanlucas@me.com>" [ultimate]
gpg:                 aka "Evan Lucas <evanlucas@keybase.io>" [ultimate]
gpg: WARNING: not a detached signature; file 'SHASUMS256.txt' was NOT verified!

A script to verify and output is included in this gist

[MylesBorins]

/cc @rvagg @nodejs/build

[jasnell]

@evanlucas

[evanlucas]

yea, I noticed this earlier. It isn't just mine though. Every release I've run against has shown the same thing (although I haven't gone back too much)

[rvagg]

OK, so here's the thing that's going on here: when you do a --verify, gpg will look at the file being verified and if there's an equivalent non-signed file then it'll assume you're working with a detached signature, which we don't do. This is happening here because you're also downloading SHASUMS256.txt and have it beside SHASUMS256.txt.asc. Try removing or renaming the former and you'll get a different result because gpg will decide it's a cleartext signed document with the sig inside the doc rather than detached from it.

But this raises an interesting point because detached signatures offer a bit more safety than we offer and maybe we should switch our signing mechanism to use them instead, or as well. The reason is that gpg will only verify the contents between -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE----- using the signature found within. But we are recommending a simple grep. So someone wishing to insert a bad build onto nodejs.org could just add a new line outside of the validated block with their new shasum and the filename and the file would still get verified and the invalid shasum would be grepped just fine. i.e. we don't have enough steps on our README to properly handle this case so it's actually not all that secure.

Detached signatures give you a signature for an entire file in a separate file. If we shipped a SHASUMS256.txt.sig as a detached signature then you'd download that as well as SHASUMS256.txt and gpg --verify would check the sig against the original and verify the whole thing. Then our instructions on the README about using grep against SHASUMS256.txt would be perfectly acceptable.

@nodejs/crypto @jbergstroem can you --verify my logic above ^?

[bnoordhuis]

@rvagg Yes, that's right. I assume the .asc is created with gpg --clearsign --sign <file>? Changing that to gpg -b <file> would produce a detached signature.

[jasnell]

Yep, spot on explanation. I definitely think moving to the detached signature would be the best choice here.

[MylesBorins]

thanks for digging in. +1 on detached signature as well

[mhdawson]

+1 for detached signatures.

[evanlucas]

Works for me

[Fishrock123]

Detached seems better to me, will doing this impact anyone?

[jasnell]

Not likely. The verification step is essentially the same.

[MylesBorins]

What needs to be done to move to detached signatures?

[bnoordhuis]

@thealphanerd #6821 (comment), basically.

[rvagg]

I'd like to handle this one pls

[MylesBorins]

@rvagg any movement on this?

[rvagg]

fix @ #9071

[rvagg]

Will leave this issue open as a reminder to update the README with instructions on using the new sigs. They are live for all releases now, e.g. https://nodejs.org/download/release/v7.0.0/

[lots0logs]

@rvagg Would it be possible to backport this to the current LTS branch?

[jasnell]

Ping @nodejs/lts

[MylesBorins]

@lots0logs the fix landed in v4.6.2 and v6.9.1

[MylesBorins]

I've changed the title of this issue to make it a good first contribution. We need to update the Readme with instructions on how to verify releases.

[neeharv]

Would be happy to work on this if no one else has already done so!

[bthemukul]

Hi @MylesBorins , @neeharv ,
Even I would like to contribute in any way possible and wanted to work on this.
So please share & let me know, how can I help. Thank you!
Cheers!

[maclover7]

@MylesBorins Should this be closed? The readme contains instructions about verifying via SHASUMS256.txt.asc

[rvagg]

This is still an active TODO. We need to switch to recommending use of SHASUM256.txt and SHASUM256.txt.sig rather than the .asc files for reasons I stated above when making the case for detached signatures. Since we've been doing detached signatures for many months now it's time to update the README with the safer recommendation.

[nurupo]

It might be worth mentioning that one shouldn't rely on the exit code of gpg --verify, as it exits with 0, i.e. success, even if the key has been revoked or expired, as long as the signature was made with that key. So if someone steals nodejs's release key, makes a malicious release with it and nodejs people revoke it, gpg --verify would still return 0 even with gpg knowing that the key is revoked.