[SERVER-5455] Sign source archives (tgz, zip, etc) with a public GPG key Created: 30/Mar/12  Updated: 26/Oct/15  Resolved: 04/Mar/14

Status: Closed
Project: Core Server
Component/s: Packaging, Security
Affects Version/s: None
Fix Version/s: 2.6.0-rc1

Type: Task Priority: Major - P3
Reporter: B?a?ej Pawlak Assignee: Ernie Hershey
Resolution: Done Votes: 4
Labels: PKI, archive, download, signing
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to SERVER-8770 Sign RPM packages available via the 1... Closed
is related to DOCS-2772 Add links to PGP keys to installation... Closed
is related to SERVER-4808 Provide repo downloads of older versi... Closed
Backwards Compatibility: Fully Compatible
Participants:

 Description   

=== Task ===
Check integrity and authenticity of the downloaded source archive.

=== Description ===
You could create a hash (e.g. sha256) of the archive and place it in a file available for download with the archive.
Then this file containing a hash has to be signed with a trusted GPG key (for example, anything PKI is good), making the public key widely available.
That way one could verify the integrity of the file and authenticity of the file.



 Comments   
Comment by Ernie Hershey [ 04/Mar/14 ]

Published archives are signed. Public keys are in git and will deploy to the website tomorrow morning at these URL's:

https://www.mongodb.org/static/pgp/server-2.2.asc
https://www.mongodb.org/static/pgp/server-2.2.pub
https://www.mongodb.org/static/pgp/server-2.4.asc
https://www.mongodb.org/static/pgp/server-2.4.pub
https://www.mongodb.org/static/pgp/server-2.6.asc
https://www.mongodb.org/static/pgp/server-2.6.pub

This ticket will track user documentation for this change, such as how to verify the signatures - https://jira.mongodb.org/browse/DOCS-2772

Comment by Ernie Hershey [ 28/Feb/14 ]

Remaining immediate tasks:

  1. Sign already published tarballs (in progress)
  2. Publish public keys on mongodb.org (ian.bentley@10gen.com will help to deploy early next week)
  3. Update docs (DOCS-2772)

Remaining future tasks:

  1. Have MCI do signing instead of at release time (MCI-1228)
Comment by Githook User [ 28/Feb/14 ]

Author:

{u'username': u'ehershey', u'name': u'Ernie Hershey', u'email': u'ernie.hershey@10gen.com'}

Message: SERVER-5455 New script to sign S3 artifacts
Branch: master
https://github.com/mongodb/mongo/commit/0171919dcf52278421715a90038d4ce97c483e6e

Comment by B?a?ej Pawlak [ 30/Mar/12 ]

Brilliant, thanks for the intel.

Comment by Scott Hernandez (Inactive) [ 30/Mar/12 ]

Good point, we will leave this open till we do full signing with an externally verifiable key. In the mean time there will be the md5 files for a bit more of assurance.

Comment by B?a?ej Pawlak [ 30/Mar/12 ]

What about the digital signature of the hash file?
That's quite relevant too as it prevents man-in-the-middle attacks for instance (on the download process).

Comment by Scott Hernandez (Inactive) [ 30/Mar/12 ]

The binary downloads already support adding .md5 to the end of each file to get their md5 hash. We have added this for new source packages also.

Once the web spage is updated to include an indication of this we can close this issue, and linked one.

Generated at Thu Feb 08 03:08:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.