-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A plugin should print the checksums to the log #58
Comments
You should be using binary signing with gpg key for such usecase |
Checksums are anyway not that secure, as @lafriks said, use gpg for signing. There is also a plugin available for it. I personally don't use this feature at all, I prefer to build Checksums on my own. |
I might be missing something, GPG would only prove that me (as an author) is me. I can still print it in the logs. If I don't print, I can still do the signing. Then build the same code locally + evil patch, sign it and place it to releases. Yes I will be responsible and loose credit, but but that only proves I did it. I was more looking to proving that something was built on public CI that I don't control. It was built there, hashed there. GPG would solve my problem if cloud.drone.io provided their widely trusted signing key. |
If you don't trust owner of product you should probably compile it from source |
It is important to verify that it was a CI that uploaded the artifacts.
Assume I am a Github repo owner, but I don't own the CI server - I use a public one.
A user can then read CI logs to see the checksums, download the archive and check them. This prevents the Github owner from deleting the CI release and putting a malicious binary manually, providing a correct new hash sum.
The text was updated successfully, but these errors were encountered: