Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Start adding .asc signature files for tar files to validate signature #53917

Open
omarismail94 opened this issue Jul 18, 2024 · 8 comments
Open

Start adding .asc signature files for tar files to validate signature #53917

omarismail94 opened this issue Jul 18, 2024 · 8 comments
Labels
feature request Issues that request new features to be added to Node.js.

Comments

@omarismail94
Copy link

What is the problem this feature will solve?

Right now, node uses SHA256 checksums to verify published artifacts like tars. Signatures offer stronger security. Some packages already do this like Yarn: https://github.com/yarnpkg/yarn/releases/tag/v1.22.17

What is the feature you are proposing to solve the problem?

Start adding .asc signature files in index (e.g. https://nodejs.org/download/release/v16.20.2/)

What alternatives have you considered?

No response
@omarismail94 omarismail94 added the feature request Issues that request new features to be added to Node.js. label Jul 18, 2024
@RedYetiDev
Copy link
Member

@nodejs/releasers this is your area, right?

@richardlau
Copy link
Member

We already sign the SHASUMS256.txt file.
e.g. https://nodejs.org/download/release/v16.20.2/SHASUMS256.txt.asc

@omarismail94
Copy link
Author

Im using gradle to verify the dependencies and downloading the SHASUM256.txt.asc and placing it with the tar artifacts did not work. I then renamed the file to node-16.20.2-darwin-arm64.tar.gz.asc and kept only the PGP Signature, and added the full fingerprint id of the key to the verifcations-metadata.xml file but Gradle still failed to verify the dependency.

I also get the following when I run gpg:

gpg --verify  node-16.20.2-darwin-arm64.tar.gz.asc 
gpg: assuming signed data in '../../prebuilts/androidx/external/org/nodejs/node/16.20.2/node-16.20.2-darwin-arm64.tar.gz'
gpg: Signature made Wed  9 Aug 17:40:10 2023 BST
gpg:                using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpg: BAD signature from "RafaelGSS <[email protected]>" [expired]

@richardlau
Copy link
Member

richardlau commented Jul 18, 2024
edited
Loading

I also get the following when I run gpg:

gpg --verify  node-16.20.2-darwin-arm64.tar.gz.asc 
gpg: assuming signed data in '../../prebuilts/androidx/external/org/nodejs/node/16.20.2/node-16.20.2-darwin-arm64.tar.gz'
gpg: Signature made Wed  9 Aug 17:40:10 2023 BST
gpg:                using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpg: BAD signature from "RafaelGSS <[email protected]>" [expired]

@RafaelGSS was going to reupload his key (with extended expiry). However note that that signing key had not expired at the time Node.js 16.20.2 was released (August 2023) and signed.

@omarismail94
Copy link
Author

The checksum file is nice for manual validation, however for an automated signature checking with a tool like Gradle it does not help at all (or I haven't found a way yet). It'd be great if we can have per platform file armored files to enable automated signature verification when downloading the artifact

@RafaelGSS
Copy link
Member

It should be solved now

@omarismail94
Copy link
Author

@RafaelGSS reviving this thread, I see the key was updated, but is it not possible to publish an .asc file for each artifact released? For example, node-v22.0.0-darwin-arm64.tar.gz has node-v22.0.0-darwin-arm64.tar.gz.asc, etc.

the end result would look like this: https://repo1.maven.org/maven2/org/jetbrains/kotlinx/kotlinx-coroutines-core/1.8.1/

@RafaelGSS
Copy link
Member

Maybe? cc: @richardlau

However, if we do that, we'll need to do it eventually after each 2 years (the usual expire date for keys - at least mine)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request Issues that request new features to be added to Node.js.
Projects
Node.js feature requests
Status: Awaiting Triage
Milestone
No milestone
Development

No branches or pull requests
4 participants
@richardlau @RafaelGSS @RedYetiDev @omarismail94