doc: 6908 add tarball verification docs v1 #11051
Conversation
Ticket: OISF#6908 Signed-off-by: jason taylor <jtfas90@gmail.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #11051 +/- ##
==========================================
+ Coverage 80.63% 83.67% +3.03%
==========================================
Files 922 922
Lines 250137 250321 +184
==========================================
+ Hits 201699 209453 +7754
+ Misses 48438 40868 -7570
Flags with carried forward coverage won't be shown. Click here to find out more. |
| Installing from the source distribution files gives the most control over the Suricata installation. | ||
|
|
||
| The Suricata source tarballs should be verified before building the source, see | ||
| :doc:`source-verification` |
There was a problem hiding this comment.
Can we use common naming here? "source distribution" or "source tarball"?
There was a problem hiding this comment.
Ah I hadn't paid attention to the previous lines, will update to match in the next PR. Any preference on wording?
There was a problem hiding this comment.
Not a big fan of "tarball" in official documentation. I prefer "archive" or "distribution archive", etc.
There was a problem hiding this comment.
Alright will get that updated/reworked, thanks!
There was a problem hiding this comment.
nit: missing the period.
| Downloading the sig File | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| The sig file needs to be downloaded as well as the tarball. Both files can be | ||
| found at `<https://suricata.io/download/>`_. |
There was a problem hiding this comment.
"signature" is how refer to it on the download page, should match I think.
There was a problem hiding this comment.
will update in next PR
There was a problem hiding this comment.
Some of the errors from the CI are doc building or dist check complaints.
/__w/suricata/suricata/doc/userguide/index.rst:6:toctree contains reference to nonexisting document 'source-verification'
(e.g. https://github.com/OISF/suricata/actions/runs/9019965517/job/24784406162?pr=11051#step:11:1108)
My only initial guess is that maybe that empty line before the chapter title makes some distros unhappy? Or there's something else I can't see.
| Installing from the source distribution files gives the most control over the Suricata installation. | ||
|
|
||
| The Suricata source tarballs should be verified before building the source, see | ||
| :doc:`source-verification` |
There was a problem hiding this comment.
nit: missing the period.
| @@ -0,0 +1,83 @@ | |||
|
|
|||
There was a problem hiding this comment.
nit: remove empty line
|
The other failures are related to: #11041 |
| Importing the OISF Signing Key | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| Once both the sig file and suricata tarball files are obtained, the OISF |
There was a problem hiding this comment.
nit: consistent usage of Suricata, please? :)
| To verify the contents of the Suricata tarball the following command should be | ||
| ran:: | ||
|
|
||
| $ gpg --verify suricata-7.0.5.tar.gz.sig suricata-7.0.5.tar.gz |
There was a problem hiding this comment.
Considering how literal some interpretations can be, I think it's worth mentioning that the proper Suricata version should match with what they have installed, in their command-run.
Or maybe rephrase to indicate "To verify the Suricata-7.0.5 distribution archive, for instance, you could run"
|
|
||
| This indicates that the OISF signing key was imported and the signatures are | ||
| valid, but either the keys have not been marked as trusted OR the keys are | ||
| possibly a forgery. |
There was a problem hiding this comment.
Maybe add what could be done in this case? Don't trust the package, or reach out to us to let us know? Which would be the best channel for that? info@oisf.net?
There was a problem hiding this comment.
Good question, what about something like "If there are questions regarding the validity of the downloaded file, the OISF team can be reached via any of the methods at https://suricata.io/our-story/contact/" ?
There was a problem hiding this comment.
I think it's best if we point to something specific, to reduce friction. Not sure if this would be considered a security issue. If so, they could write to security@oisf.net (cf https://github.com/OISF/suricata/blob/master/SECURITY.md). If not, maybe the contact e-mail: info@oisf.net
|
continued in #11111 |
If anyone by any change arrives here, the solution was actually to add the new file to the Makefile.am, as suggested by Jeff (cf #11111 (comment)) |
Make sure these boxes are signed before submitting your Pull Request -- thank you.
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6908
Describe changes:
Provide values to any of the below to override the defaults.
To use a pull request use a branch name like
pr/NwhereNis thepull request number.
Alternatively,
SV_BRANCHmay also be a link to anOISF/suricata-verify pull-request.