Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A plugin should print the checksums to the log #58

Open
igor-petruk opened this issue Oct 25, 2019 · 4 comments
Open

A plugin should print the checksums to the log #58

igor-petruk opened this issue Oct 25, 2019 · 4 comments

Comments

@igor-petruk
Copy link

It is important to verify that it was a CI that uploaded the artifacts.

Assume I am a Github repo owner, but I don't own the CI server - I use a public one.

A user can then read CI logs to see the checksums, download the archive and check them. This prevents the Github owner from deleting the CI release and putting a malicious binary manually, providing a correct new hash sum.

@lafriks
Copy link

lafriks commented Oct 25, 2019

You should be using binary signing with gpg key for such usecase

@tboerger
Copy link
Contributor

Checksums are anyway not that secure, as @lafriks said, use gpg for signing. There is also a plugin available for it. I personally don't use this feature at all, I prefer to build Checksums on my own.

@igor-petruk
Copy link
Author

I might be missing something, GPG would only prove that me (as an author) is me. I can still print it in the logs. If I don't print, I can still do the signing. Then build the same code locally + evil patch, sign it and place it to releases. Yes I will be responsible and loose credit, but but that only proves I did it.

I was more looking to proving that something was built on public CI that I don't control. It was built there, hashed there.

GPG would solve my problem if cloud.drone.io provided their widely trusted signing key.

@lafriks
Copy link

lafriks commented Oct 25, 2019

If you don't trust owner of product you should probably compile it from source

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants