[wp-meta] [Making WordPress.org] #7574: Sign releases (PGP, GPG)
Making WordPress.org
noreply at wordpress.org
Thu Apr 11 16:21:37 UTC 2024
#7574: Sign releases (PGP, GPG)
--------------------------------+---------------------
Reporter: maltfield | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone:
Component: WordPress.org Site | Resolution:
Keywords: |
--------------------------------+---------------------
Comment (by maltfield):
I see that wordpress provides hashes. Note that this does not provide
authenticity (though it does provide integrity). One option to achieve
authenticity would be to sign the hash file (as opposed to signing the
release file directly), but this should only be done with a
cryptographicailly secure hash function, and neither sha1 nor md5 are
cryptographically secure hash functions.
So, if you wish to sign hashes, one option is to upload a file
`SHA256SUMS` (with the sha256 hash of all the files uploaded for a given
release) and sign that with a detached signature in a file named
`SH256SUMS.sign`. The benefit here is that you only need one signature
file for all files uploaded during a release. This is, in fact, how Debian
and many Linux distributions sign their releases
* https://get.debian.org/images/archive/11.9.0/amd64/iso-dvd/
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/7574#comment:5>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list