[SERVER-5455] Sign source archives (tgz, zip, etc) with a public GPG key Created: 30/Mar/12 Updated: 26/Oct/15 Resolved: 04/Mar/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Packaging, Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.6.0-rc1 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | B?a?ej Pawlak | Assignee: | Ernie Hershey |
| Resolution: | Done | Votes: | 4 |
| Labels: | PKI, archive, download, signing | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Description |
|
=== Task === === Description === |
| Comments |
| Comment by Ernie Hershey [ 04/Mar/14 ] |
|
Published archives are signed. Public keys are in git and will deploy to the website tomorrow morning at these URL's: https://www.mongodb.org/static/pgp/server-2.2.asc This ticket will track user documentation for this change, such as how to verify the signatures - https://jira.mongodb.org/browse/DOCS-2772 |
| Comment by Ernie Hershey [ 28/Feb/14 ] |
|
Remaining immediate tasks:
Remaining future tasks:
|
| Comment by Githook User [ 28/Feb/14 ] |
|
Author: {u'username': u'ehershey', u'name': u'Ernie Hershey', u'email': u'ernie.hershey@10gen.com'}Message: |
| Comment by B?a?ej Pawlak [ 30/Mar/12 ] |
|
Brilliant, thanks for the intel. |
| Comment by Scott Hernandez (Inactive) [ 30/Mar/12 ] |
|
Good point, we will leave this open till we do full signing with an externally verifiable key. In the mean time there will be the md5 files for a bit more of assurance. |
| Comment by B?a?ej Pawlak [ 30/Mar/12 ] |
|
What about the digital signature of the hash file? |
| Comment by Scott Hernandez (Inactive) [ 30/Mar/12 ] |
|
The binary downloads already support adding .md5 to the end of each file to get their md5 hash. We have added this for new source packages also. Once the web spage is updated to include an indication of this we can close this issue, and linked one. |