Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide Checksums and Digital Signatures for Release Binaries #3526

Open
dingchaoz opened this issue Nov 7, 2024 · 0 comments
Open

Provide Checksums and Digital Signatures for Release Binaries #3526

dingchaoz opened this issue Nov 7, 2024 · 0 comments
Labels
community

Comments

@dingchaoz
Copy link

To enhance the security and integrity of the Agave project’s releases, can we provide checksums and digital signatures for all distributed binaries? This practice allows users to verify the authenticity and integrity of the downloaded files, ensuring they have not been tampered with or corrupted during transmission.

Proposed Solution:

1.	Generate Checksums:
For each release artifact, compute a SHA-256 checksum.
Include these checksums in a file (e.g., SHA256SUMS) accompanying the release.
2.	Provide Digital Signatures:
Use a GPG key to sign the checksum file, creating a signature file (e.g., SHA256SUMS.asc).
Upload the public GPG key to a keyserver and provide its fingerprint in the release notes for user verification.
3.	Update Release Documentation:
Include instructions in the release notes on how users can verify the checksums and signatures.
Provide guidance on importing the GPG key and verifying the signature against the checksum file.

Implementing these measures will enhance user trust and security when downloading and using the Agave project’s binaries.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dingchaoz