[wp-meta] [Making WordPress.org] #7574: Sign releases (PGP, GPG)

Making WordPress.org noreply at wordpress.org
Thu Apr 11 16:21:37 UTC 2024


#7574: Sign releases (PGP, GPG)
--------------------------------+---------------------
 Reporter:  maltfield           |       Owner:  (none)
     Type:  defect (bug)        |      Status:  new
 Priority:  normal              |   Milestone:
Component:  WordPress.org Site  |  Resolution:
 Keywords:                      |
--------------------------------+---------------------

Comment (by maltfield):

 I see that wordpress provides hashes. Note that this does not provide
 authenticity (though it does provide integrity). One option to achieve
 authenticity would be to sign the hash file (as opposed to signing the
 release file directly), but this should only be done with a
 cryptographicailly secure hash function, and neither sha1 nor md5 are
 cryptographically secure hash functions.

 So, if you wish to sign hashes, one option is to upload a file
 `SHA256SUMS` (with the sha256 hash of all the files uploaded for a given
 release) and sign that with a detached signature in a file named
 `SH256SUMS.sign`. The benefit here is that you only need one signature
 file for all files uploaded during a release. This is, in fact, how Debian
 and many Linux distributions sign their releases

  * https://get.debian.org/images/archive/11.9.0/amd64/iso-dvd/

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/7574#comment:5>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org


More information about the wp-meta mailing list