-
-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign Releases for Authentication (PGP, GPG) #987
Comments
And just to be clear, the purpose of this ticket is to address issues with authentication of the software release, not just integrity. Publishing hashes (that are not signed) provides integrity. Unsigned hashes do not provide authentication. Without signatures, there is no way for a phpList user to verify that the phpList release that they downloaded is authentic (that is to say, it was in-fact produced by the phpList team -- as opposed to some malicious actor). This is important to defend many attack vectors, including a Publishing Infrastructure Compromise. Such attacks, including Publishing infrastructure Comprimise, have happened to many open-source projects historically. For an incomplete list of such events, please see: Currently phpList users have no way to defend against such an attack. By providing signatures with each release (either by signing the release directly or by signing the hash/digest files), users would finally be able to verify the authenticity of a given release after downloading it & before installing it. |
For more information on best-practices of signing releases with GPG, please see: |
Yes, good point, we'll sort that out |
Description
Currently it is not possible to verify the authenticity of the downloads from sourceforge.net, github.com, or phplist.org because the releases are not cryptographically signed.
This makes it hard for phpList users to safely obtain the phpList software, and it introduces them (and potentially their customer's data) to watering hole attacks.
Steps to Reproduce
Expected behavior
A few things are expected:
SHA256SUMS.asc
file) along with the release itselfActual behavior
There's just literally no information on verifying downloads, and it appears that it is not possible to do so.
Versions
Everything, all versions. Plugins too.
The text was updated successfully, but these errors were encountered: