-
Notifications
You must be signed in to change notification settings - Fork 29.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Start adding .asc signature files for tar files to validate signature #53917
Comments
@nodejs/releasers this is your area, right? |
We already sign the SHASUMS256.txt file. |
Im using gradle to verify the dependencies and downloading the I also get the following when I run gpg:
|
@RafaelGSS was going to reupload his key (with extended expiry). However note that that signing key had not expired at the time Node.js 16.20.2 was released (August 2023) and signed. |
The checksum file is nice for manual validation, however for an automated signature checking with a tool like Gradle it does not help at all (or I haven't found a way yet). It'd be great if we can have per platform file armored files to enable automated signature verification when downloading the artifact |
It should be solved now |
@RafaelGSS reviving this thread, I see the key was updated, but is it not possible to publish an .asc file for each artifact released? For example, the end result would look like this: https://repo1.maven.org/maven2/org/jetbrains/kotlinx/kotlinx-coroutines-core/1.8.1/ |
Maybe? cc: @richardlau However, if we do that, we'll need to do it eventually after each 2 years (the usual expire date for keys - at least mine) |
What is the problem this feature will solve?
Right now, node uses SHA256 checksums to verify published artifacts like tars. Signatures offer stronger security. Some packages already do this like Yarn: https://github.com/yarnpkg/yarn/releases/tag/v1.22.17
What is the feature you are proposing to solve the problem?
Start adding .asc signature files in index (e.g. https://nodejs.org/download/release/v16.20.2/)
What alternatives have you considered?
No response
The text was updated successfully, but these errors were encountered: