Skip to content

Document PGP Signature Verification on Installation Docs #445

Description

@maltfield

Description

Currently it is not clear how to verify the authenticity or cryptographic integrity of the sigstore releases from github.com because there is no mention of it in the official installation docs:

This makes it hard for sigstore users to safely obtain the sigstore software, and it introduces them (and potentially future things they try to verify with sigstore's cli tools) to watering hole attacks.

Steps to Reproduce

  1. Go to the install docs https://docs.sigstore.dev/cosign/system_config/installation/
  2. Look for info on how to verify the signature of the release using PGP
  3. ???
  4. Get confused and open ticket

Expected behavior: [What you expected to happen]

A few things are expected:

  1. I should be able to download the sigstore PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
  2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
  3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior: [What actually happened]

There's just literally no information on verifying downloads with PGP, and it appears that it is not possible to do so.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions