Security improvements about vigil HOT 10 CLOSED

It's a small world! :)

Gotcha on the signature thing. I'll come out w/ something, and see if that model can be applied to all my projects, subject to scripted releases.

What would you do ideally? Just GPG-sign each published archive, and provide a .sig file with the archive name, such that:

• For archive: v1.23.1-armv7.tar.gz
• Signature file is: v1.23.1-armv7.tar.gz.sig (or: v1.23.1-armv7.sig?)

from vigil.

I'll be back to Nantes pretty soon, currently in Prague.

On the releases signature thing: it's done! Both the archive and the .asc file can be downloaded, as well as my GPG key, and verified as such:

Automated this in my release scripts across all my Rust OSS projects, and signed all latest releases. Thank you for suggesting this.

Oh cool, it's a very very nice city!
cc @Guileas
Maybe we can create a Rust meeting in Nantes?

Thank you so much for adding the GPG signature everywhere, it will definitely help

from vigil.

A meeting in Nantes what a good idea!
Ping me when the date is set 👍

from vigil.

Hi William,

Are you from Bretagne as well? I come from here too! Thank you for the generous sponshorship, it's really appreciated! :)

On your two suggestions:

• Signad tags: thank you for this, I did not know that tags could be signed, I only knew about signed commits. I've enabled this in my gitconfig, so all future tags pushed will be signed. I've also re-tagged v1.23.1 w/ a signature, to test my setup:

• Signed release builds: can do that as well, but so far I've assumed that we can trust GitHub as not to alter uploaded release files, and all authorized maintainers (that is, for now, only myself) to be trustful persons to publish legit release packages. I'll see what I can do on that one too.

from vigil.

I'll be back to Nantes pretty soon, currently in Prague.

On the releases signature thing: it's done! Both the archive and the .asc file can be downloaded, as well as my GPG key, and verified as such:

Automated this in my release scripts across all my Rust OSS projects, and signed all latest releases. Thank you for suggesting this.

from vigil.

We will be at https://eurorust.eu/ in Berlin, will you ?

Would have been interested! But unfortunately I'm not available at those dates.

from vigil.

Hi William,

Are you from Bretagne as well? I come from here too! Thank you for the generous sponshorship, it's really appreciated! :)

Yeah, I am currently in the center of Brittany 🎉

I am very happy to sponsor Rust work that will be used by my company @wdes

On your two suggestions:

• Signad tags: thank you for this, I did not know that tags could be signed, I only knew about signed commits. I've enabled this in my gitconfig, so all future tags pushed will be signed. I've also re-tagged v1.23.1 w/ a signature, to test my setup:

That's cool! You can force push the tag if you want to make it available. It can wait for the next release

• Signed release builds: can do that as well, but so far I've assumed that we can trust GitHub as not to alter uploaded release files, and all authorized maintainers (that is, for now, only myself) to be trustful persons to publish legit release packages. I'll see what I can do on that one too.

Haha yes, but we can not trust third parties that easily (IMO). I personally think it is too easy to steal you a token or find a way to alter the artifact without anyone noticing. Having gpg signatures for the artifacts just makes sure that:

• you uploaded it
• my scripts using it will be sure nobody did alter the binary while transport

from vigil.

Yeah, will you go to France any time soon?

From what I observed most packaging people provide .asc files. It's just --armor signature files. .sig files are just binary content that is no easy to copy paste if necessary

from vigil.

That's a cool idea. If you want to discuss that we may continue over email, ping me anytime!

from vigil.

We will be at https://eurorust.eu/ in Berlin, will you ?

from vigil.