New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code signing for Piwik releases, and explain to users how to verify PGP signatures #1757
Comments
I suggest providing a md5/sha1 hash for every Piwik release which can then be checked against the distributed files. We could store those hashes on a different machine so that compromising a single machine doesn't comprise everything at once. |
GPG is more of an enterprise IT feature. Most users won't have the pear/pecl packages to use this. We can certainly generate sha1 hashes. (This is needed by the Web App Gallery.) Storing the hashes on a different machine has its benefit, but is difficult to automate. |
I think it would be a good idea if it was optional in the Settings, e.g. a checkbox to verify signature of updates, requiring some gnupg extension. |
Revised proposal:
I'm going to defer the logistics of distributing the hashes to other machines. We don't have the infrastructure for that yet. |
Also requested in #5036 Insecure installation archives |
Aren't the hashes of the source archives from http://debian.piwik.org/pool/main/p/piwik/ signed in the respective |
http://debian.piwik.org has a "how to use", it'd be nice however if it also mentioned the key fingerprint to use but yeah I guess that could be a workaround if upstream authors agree the key can be trusted |
Yes, but the https://debian.piwik.org/repository.gpg key (66FED89E) appears to be different from the key used to sign the |
@jaakristioja Just quickly jumping in. Yes the key is different because it's the maintainer's key (mine). My key is used to sign the packet and that signature is verified when the package is uploaded but before it's published. I will read the entire correspondence later in the day (I'm at work) and I'll see if there's anything we can do to improve the overall security. |
@filippog @jaakristioja the page https://debian.piwik.org/ has been updated and now contains the key-id/key-fingerprint associated with the repository and the published packages. As I said earlier, the most important part is the repository key which signs the entire repository. Please let us know if that's all good for you. |
@aureq @jaakristioja LGTM, thanks! looking forward to have also signed upstream tarballs |
Good news everyone, from now on I am signing all releases with my PGP key. Kuddos @aureq for improving the package script in https://github.com/piwik/piwik-package You can find the keys as the filenames with For example latest release: https://builds.piwik.org/piwik.zip.asc You can verify the signature as follows gpg --search-key 5590A237
# enter 1
gpg --edit-key 5590A237 trust
# enter 5
# enter y
gpg --verify piwik.zip.asc See also #6673 I'd like to create a FAQ to let people know. Do I miss anything / is it working well? |
IMO the next logical security step is to enable the download of the Piwik builds over SSL from https://builds.piwik.org instead of HTTP. see Download Piwik upgrade packages via HTTPS #6441 |
looks good, I'd recommend using the full gpg fingerprint instead of short IDs. also it'd be nice to provide a copy of the key to be downloaded from somewhere too (e.g. linked from the FAQ itself) +1 to downloading over https and verifying with gpg as mentioned in #6441 btw a simpler way to verify the signature on the file in isolation without relying on the user's keyring:
HTH, |
Seems to work, but a key fingerprint would be nice indeed. I recommend to also put the full public key on the webserver in case connecting to the keyserver fails (e.g. for people behind firewalls blocking outgoing connections to HKP port 11371). PS: Thanks you very much! :) |
So, the correct way to do this should be:
@mattab I agree with @jaakristioja and your public key should be in
|
my pgp public key signature is on the builds server now: http://builds.piwik.org/signature.asc Next is to create an FAQ and maybe a blog post I think, if someone wants to volunteer... 👍 |
New blog post: How to verify signatures for Piwik release packages New FAQ: How do I verify the cryptographic PGP signature of Piwik packages? added a small note in the core team workflow bit about releases Looks done now 👍 |
Hello, |
@mattab I think what @theznx is saying is to add details and instructions on how to verify the signature on this download page: https://piwik.org/download/ what's missing to me is a link to the GPG signature (
|
@theznx we could add such note in the Download page of Piwik. Would you mind creating a new separate issue, as this one is already closed? |
As an additional security feature (against MITM attack):
Client verification via either (or both):
The text was updated successfully, but these errors were encountered: