Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign Releases for Authentication (PGP, GPG) #987

Open
maltfield opened this issue Sep 3, 2023 · 3 comments
Open

Sign Releases for Authentication (PGP, GPG) #987

maltfield opened this issue Sep 3, 2023 · 3 comments
Labels
enhancement

Comments

@maltfield
Copy link
Contributor

maltfield commented Sep 3, 2023
edited
Loading

Description

Currently it is not possible to verify the authenticity of the downloads from sourceforge.net, github.com, or phplist.org because the releases are not cryptographically signed.

This makes it hard for phpList users to safely obtain the phpList software, and it introduces them (and potentially their customer's data) to watering hole attacks.

Steps to Reproduce

  1. Go to the https://www.phplist.org/download-phplist page
  2. Go to Sourceforge download page https://sourceforge.net/projects/phplist/files/phplist/
  3. Click the version directory
  4. Click download
  5. ???

Expected behavior

A few things are expected:

  1. I should be able to download the phpList PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
  2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
  3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Versions

Everything, all versions. Plugins too.
@maltfield
Copy link
Contributor Author

maltfield commented Sep 3, 2023
edited
Loading

And just to be clear, the purpose of this ticket is to address issues with authentication of the software release, not just integrity.

Publishing hashes (that are not signed) provides integrity. Unsigned hashes do not provide authentication.

Without signatures, there is no way for a phpList user to verify that the phpList release that they downloaded is authentic (that is to say, it was in-fact produced by the phpList team -- as opposed to some malicious actor). This is important to defend many attack vectors, including a Publishing Infrastructure Compromise.

Such attacks, including Publishing infrastructure Comprimise, have happened to many open-source projects historically. For an incomplete list of such events, please see:

Currently phpList users have no way to defend against such an attack. By providing signatures with each release (either by signing the release directly or by signing the hash/digest files), users would finally be able to verify the authenticity of a given release after downloading it & before installing it.

@maltfield
Copy link
Contributor Author

maltfield commented Sep 3, 2023
edited
Loading

For more information on best-practices of signing releases with GPG, please see:

  1. https://infra.apache.org/release-signing
  2. https://docs.opendev.org/opendev/system-config/latest/signing.html
  3. https://wiki.debian.org/Subkeys
  4. https://riseup.net/en/security/message-security/openpgp/best-practices

@michield
Copy link
Member

michield commented Sep 4, 2023

Yes, good point, we'll sort that out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michield @maltfield