[SECURITY] Consider signing releases with PGP #5313
Labels
Internal-Issue-Created
An issue has been created in NextGen's internal issue tracker
RS-9151
Security
triaged
Comments
lmillergithub
added
triaged
Internal-Issue-Created
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
NextGen currently computes hashes for some release artifacts and hosts them side-by-side with the downloadable packages from their release-hosting site. The hashes can only provide proof that a particular binary matches the hash and has therefore not been tampered-with after downloading. They do not, however, provide any authentication of the signature at all.
PGP (or GPG) signatures provide both tamper-evident hashing and authenticated signing to prove that the binary was signed by a (presumably) trusted signer. This allows binaries to be mirrored, copied, shared, etc. and signatures cannot be forged. Theoretically, hashes can be "forged" simply by updating the hash after the binary has been modified.
The text was updated successfully, but these errors were encountered: