GPG sign gitea releases on the gitea.io download page

[vishnunaini]

• Gitea version (or commit ref): 1.0.2
• Git version: 2.11.0
• Operating system: All
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist: NA

Description

The title says it all. Please maintain a GPG master key with the team's trusted members and sign all gitea releases with this master keys to maintain a chain of trust. HTTPS on the download page is not enough as that is vulnerable to the case where gitea.io can be compromised.

Screenshots

NA

[tboerger]

The release process is totally automated via drone ci, so how should that work? The only manual step is the creation of the git tag.

[vishnunaini]

Make drone ci build a SHA256SUMS file with the sha256sums of all the binaries produced. Ping a core developer whenever a new release happens. The core developer should will do some verification and then sign the SHA256SUMS file a make a SHA256SUMS.gpg signature file. Upload those two files to the download server.

If you want to start somewhere let the ci itself do the gpg signing.

[tboerger]

I don't think that the manual steps will work out well.

[vishnunaini]

Why not add the gpg private key and signing to the ci itself? I think this can be done. Many projects use automated signing.

[tboerger]

Because In my opinion this looks secure but can be vulnerable

[vishnunaini]

I know that manual signing is the only true chain of trust. Automatic cannot be trusted.

[vishnunaini]

Go the manual signing way but only do it for stable releases. Since the number of stable releases is only going to be one or two a month, manual signing probably wouldn't be that much of a hassle.