Clarify gpg verification #11063
Clarify gpg verification #11063
Conversation
hasufell
force-pushed
the
clarify-gpg-verification
branch
2 times, most recently
from
7823d46
to
3104b3a
Compare
hasufell
force-pushed
the
clarify-gpg-verification
branch
from
3104b3a
to
5f0ec56
Compare
|
I agree with your premise, but your tone isn't exactly welcoming -- please try to show a bit more empathy if you wish to continue collaborating in this project. Our goal with this section of documentation is to educate and inform, not to "silence". If we're going to add a note about this, I think we should be more specific -- for example, verifying the signature on an MD5 checksum is not really as strong as one on SHA256 (to put another way, the checksum needs to be "cryptographically secure" as well). I also think this addition should be up a bit higher (not hiding in one of the examples); perhaps something like this: The purpose in recommending PGP signature verification ...
**Note:** it is not strictly necessary to have a signature on each of the individual downloaded artifacts -- if there is a signature on something like a `SHA256SUMS` file (where the checksum is a secure ["cryptographic hash"](https://en.wikipedia.org/wiki/Cryptographic_hash_function) like SHA256 and notably NOT MD5 or SHA1), then it is cryptographically sufficient to verify the signature on that file and then verify that checksum on the downloaded file. It is still recommended to embed the full checksum in the `Dockerfile`, as explained in the following paragraph.
The purpose in recommending checksum ...
Below are some examples:However, to properly do it "justice" it ends up getting a bit wordy -- perhaps there's a decent guide or article someone has written elsewhere that we could link to instead of including all this detail here? (Otherwise I'd probably prefer to punt this addition to be part of #6282 instead so we can have something like a dedicated file to describe low-level details like this better and keep the high-level overview short.) |
Could you clarify whether you're interested in me improving this PR? And if so what exactly do you need? I don't know of any guide explaining PGP+hash use. It's somewhat basic cryptography knowledge. |
|
Honestly, I don't have a really strong opinion on the best way to incorporate this yet. I was hoping we could discuss it a bit more and help tip the scales, but it sounds like you're not up for that (which is totally fair). Given that, I'm going to add this to the backlog, and we'll come back to it later; thanks for the suggestion! |
Some docker image developers not understanding what a hash function is have previously told me my installer has to gpg-verify all the tarballs instead of their checksums.
Of course that's nonsense, because then the internet, all distros (including ubuntu) and even blockchains in this world would be broken.
Adding this as a note here should silence this.
Thanks.