PGP Signed Releases/Hashes
particlmike33 opened this issue · comments
It would be nice from a security perspective to have the releases signed themselves, and/or the hashes signed.
See here:
https://github.com/particl/gitian.sigs
Thanks! Where can I find the pgp key to verify the signed file?
https://github.com/particl/gitian.sigs/tree/master/0.21.2.6-osx-unsigned/tecnovert doesn't seem to have it. gpg says the signature is valid and it's signed with this key:
8E51 7DC1 2EC1 CC37 F642 3A8A 13F1 3651 C9CF 0D6B
But where is that listed as yours/the particl team?
https://github.com/tecnovert.gpg has 2 keys, fingerprints:
C9F4 35A6 9536 D938 D0AB 37A1 6C1A 887B 4701 EAE3
and
62C7 4C11 3CD9 E31D AA65 564F 8ED6 D875 0C4E 3F93
Both of which don't match the key that signs the gitian file.
Also, maybe the signed files and pgp keys should be listed under each release? That's where I normally see them with open source projects.
And am I missing something, why is the osx named unsigned? Perhaps a stupid question
Thanks!
The release signing keys are listed here:
https://github.com/particl/particl-core/blob/master/contrib/builder-keys/keys.txt#L55
You can import them with gpg like:
gpg --keyserver hkps://keys.openpgp.org --recv-keys 8E517DC12EC1CC37F6423A8A13F13651C9CF0D6B
https://github.com/particl/particl-core/blob/master/contrib/builder-keys/README.md
Also, maybe the signed files and pgp keys should be listed under each release?
Bitcoin and most forks use a separate repo. The intention is not to have to rely on a single signature by having multiple people validate and sign the builds.
Why is the osx named unsigned?
The windows and osx releases are additionally signed with codesigning keys to disable the 'unknown developer' warning that's shown when they're installed. We have a key for windows but not osx.
Ah I see, thanks for explaining!
So are the two keys that are available at https://github.com/tecnovert.gpg not your valid keys anymore?
Because your key under https://github.com/particl/particl-core/blob/master/contrib/builder-keys/keys.txt#L55 is a different one (and the one used to sign the gitian)
Maybe someone could write a page on particl's site about how to verify the signatures and it can be linked to from https://particl.io/downloads? And also from the github release section? So people know where to go (gitian and builder keys).
I could help with that if you think it's a good idea
I use the keys at https://github.com/tecnovert.gpg to sign git commits, there's two as one is an ECC pubkey and the other is older. I use the 8E517 key to sign releases only.
There's a page on the wiki that I could link to from the github release section:
https://particl.wiki/tutorial/security/verify-downloads/
Although it does not yet have a section on verifying the signatures. Can you add that?
Thanks for the info on the keys!
Yeah, it sounds like a good idea to link to that page, and yeah I can add something about verifying signatures!
Where would I do that exactly, do we have a github for the documentation? Or should I just write a word doc and send it your way?
Also, I'm a bit confused why the hashes under the "out_manifest" in each OS's corresponding build.assert doesn't match the hashes under the release page?
Where would I do that exactly
There should be an "Edit this page" link at the top right of that page which should automatically create a PR on github.
why the hashes ... doesn't match the hashes under the release page
All hashes in the release pages match those in the assert files.
The debug builds in the assert files don't appear in the release page as they're too large to reasonably upload.
Thanks for explaining the edit.
Sorry if I'm being stupid, but for example the osx hashes under the release page here: https://github.com/particl/particl-core/releases/tag/v0.19.2.19
I can't find the corresponding osx hashes here on gitian: https://github.com/particl/gitian.sigs/blob/master/0.21.2.6-osx-unsigned/tecnovert/particl-osx-0.21.2.6-build.assert
I used find and they aren't there.
Our core version 0.19.2.19 uses bitcoin core 0.21.2.6 so I picked that gitian assert files. What am I doing wrong?
Double check the links.
You're looking for 0.19.2.19 hashes in the assert file for 0.21.2.6.
Our core version 0.19.2.19 uses bitcoin core 0.21.2.6
Not sure where you got that from. Particl Desktop uses Particl Core 0.21.2.6
Ah I see my mistake, thanks, I was looking at Particl Desktop, why is the most recent particl core release 0.19.2.19 if Particl Desktop uses 0.21.2.6?
Nodes running the partyman script will update to the latest full release.
The intention is to keep a significant number of nodes running v0.19 in case there are undiscovered issues in v0.21.
I see, thanks, I have proposed edits to the page, let me know what you think!
It looks ok to me, thanks.
Please open a PR into the main repo so Allien can see it.
Thanks for explaining everything, I opened a PR and added an issue in Particl Desktop to feature request signatures for that as well.