Sign Releases for Authentication (PGP, GPG)

[maltfield]

Description

Currently it is not possible to verify the authenticity of the downloads from sourceforge.net, github.com, or phplist.org because the releases are not cryptographically signed.

This makes it hard for phpList users to safely obtain the phpList software, and it introduces them (and potentially their customer's data) to watering hole attacks.

Steps to Reproduce

1. Go to the https://www.phplist.org/download-phplist page
2. Go to Sourceforge download page https://sourceforge.net/projects/phplist/files/phplist/
3. Click the version directory
4. Click download
5. ???

Expected behavior

A few things are expected:

1. I should be able to download the phpList PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Versions

Everything, all versions. Plugins too.

[maltfield]

And just to be clear, the purpose of this ticket is to address issues with authentication of the software release, not just integrity.

Publishing hashes (that are not signed) provides integrity. Unsigned hashes do not provide authentication.

Without signatures, there is no way for a phpList user to verify that the phpList release that they downloaded is authentic (that is to say, it was in-fact produced by the phpList team -- as opposed to some malicious actor). This is important to defend many attack vectors, including a Publishing Infrastructure Compromise.

Such attacks, including Publishing infrastructure Comprimise, have happened to many open-source projects historically. For an incomplete list of such events, please see:

• https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises

Currently phpList users have no way to defend against such an attack. By providing signatures with each release (either by signing the release directly or by signing the hash/digest files), users would finally be able to verify the authenticity of a given release after downloading it & before installing it.

[maltfield]

For more information on best-practices of signing releases with GPG, please see:

1. https://infra.apache.org/release-signing
2. https://docs.opendev.org/opendev/system-config/latest/signing.html
3. https://wiki.debian.org/Subkeys
4. https://riseup.net/en/security/message-security/openpgp/best-practices

[michield]

Yes, good point, we'll sort that out