I see git tags aren't signed. Code signing should be done from day 1 or it will become harder and harder to retrofit - see how all other OSs still struggle with it. There needs to be a chain of trust from git to binaries, to isos and everything that is released.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm rather unsure what I would express by signing the Git tag. Well, it's an offical release, but would users that verify the tag expect more than just that's an official release? Could you please elaborate a bit more on your expectations from signed code?
Greets
Christian Helmuth
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The signature would guarantee that when I checkout the code I get exactly what you intendet to publish. It protects against MITM (on my end, at the host and between you and the host) and neither of us has to rely on github's TSL and their internal security.
Once there is a binary distribution and binary updates I'd want to verify that binaries are indeed compiled by somone trusted who is using trusted source code. If gpg is already being used now this will be easier to implement.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I understand that we should discuss this issue with the community and, therefore, opened https://github.com/genodelabs/genode/issues/138. Only a few developers frequent this forum and the issue will bring more stakeholders into the discussion.
Thanks for bringing this up. I'm certain we need a strong and reconstructable code and binary verification process in the future.
Regards,
Christian
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I see git tags aren't signed. Code signing should be done from day 1 or it will become harder and harder to retrofit - see how all other OSs still struggle with it. There needs to be a chain of trust from git to binaries, to isos and everything that is released.
Hello,
I'm rather unsure what I would express by signing the Git tag. Well, it's an offical release, but would users that verify the tag expect more than just that's an official release? Could you please elaborate a bit more on your expectations from signed code?
Greets
Christian Helmuth
The signature would guarantee that when I checkout the code I get exactly what you intendet to publish. It protects against MITM (on my end, at the host and between you and the host) and neither of us has to rely on github's TSL and their internal security.
Once there is a binary distribution and binary updates I'd want to verify that binaries are indeed compiled by somone trusted who is using trusted source code. If gpg is already being used now this will be easier to implement.
Hi,
I understand that we should discuss this issue with the community and, therefore, opened https://github.com/genodelabs/genode/issues/138. Only a few developers frequent this forum and the issue will bring more stakeholders into the discussion.
Thanks for bringing this up. I'm certain we need a strong and reconstructable code and binary verification process in the future.
Regards,
Christian
Thanks!