From @cmacq2 on December 19, 2015 23:10
Judging by a cursory overview of the docs there is no support for verifying integrity of downloaded sources beyond a simple SHA256 checksum in xdg-app-builder.
It would arguably be better (more robust) if the integrity of the sources could be verified by checking a PGP signature against a known key. As it stands, essentially the builder has zero protection against a compromised repository/download server (and this has happened: think vsftpd, kernel.org).
Beyond that, it simplifies things for the user of xdg-app-builder because as long as a PGP key remains valid they can trivially upgrade without having to check & update to the new SHA256 sums manually -- since an equivalent up-to-date checksum would, of course, be embedded in the PGP signature itself. So only the trusted keys of upstream need to be known, and the machinery takes care of all the rest.
Event better, still: modern GIT allows you to sign commits with PGP signatures as well, so for the smoothest experience the builder would ideally be able to verify the signature of a GIT commit also. This can help guard you better against a compromised repository because it authenticates the GIT history itself. Essentially a signed GIT commit is a statement from upstream that they trust their current GIT history/state up until and including the particular commit to be 'verified', otherwise the only guarantee is that the GIT history is internally consistent which is not necessarily equivalent to 'tamper free'.
That way the consumer (builder) could declare the a GIT tag as their dependency (i.e. a particular release) and the builder could give fairly strong guarantees that the the sources being used in the project actually match with what was intended.
By adopting support for checking sources against PGP signatures, xdg-app-builder can offer a stronger protection against compromised sources to its users.
By adopting support for checking authenticity of signed GIT commits, xdg-app-builder can offer some gentle encouragement and reward for upstreams to make their release process/source control practices the best they can be, which will ultimately benefit the consumers of their code (i.e. users of xdg-app-builder).
Copied from original issue: alexlarsson/xdg-app#95
From @cmacq2 on December 19, 2015 23:10
Judging by a cursory overview of the docs there is no support for verifying integrity of downloaded sources beyond a simple SHA256 checksum in xdg-app-builder.
It would arguably be better (more robust) if the integrity of the sources could be verified by checking a PGP signature against a known key. As it stands, essentially the builder has zero protection against a compromised repository/download server (and this has happened: think vsftpd, kernel.org).
Beyond that, it simplifies things for the user of xdg-app-builder because as long as a PGP key remains valid they can trivially upgrade without having to check & update to the new SHA256 sums manually -- since an equivalent up-to-date checksum would, of course, be embedded in the PGP signature itself. So only the trusted keys of upstream need to be known, and the machinery takes care of all the rest.
Event better, still: modern GIT allows you to sign commits with PGP signatures as well, so for the smoothest experience the builder would ideally be able to verify the signature of a GIT commit also. This can help guard you better against a compromised repository because it authenticates the GIT history itself. Essentially a signed GIT commit is a statement from upstream that they trust their current GIT history/state up until and including the particular commit to be 'verified', otherwise the only guarantee is that the GIT history is internally consistent which is not necessarily equivalent to 'tamper free'.
That way the consumer (builder) could declare the a GIT tag as their dependency (i.e. a particular release) and the builder could give fairly strong guarantees that the the sources being used in the project actually match with what was intended.
By adopting support for checking sources against PGP signatures, xdg-app-builder can offer a stronger protection against compromised sources to its users.
By adopting support for checking authenticity of signed GIT commits, xdg-app-builder can offer some gentle encouragement and reward for upstreams to make their release process/source control practices the best they can be, which will ultimately benefit the consumers of their code (i.e. users of xdg-app-builder).
Copied from original issue: alexlarsson/xdg-app#95