Comments (4)
Not sure I can provide much help, but here are some comments.
GPG signature is relatively easy and straightforward to accomplish: create a key, publish it to public servers, and give the keys to a few maintainers. The release script would then generate the sums, and will sign the artifacts (including the sums) with the gpg key. The gpg key itself can be stored in the same repository, with the passphrase to decrypt it being a secret in the repository.
Code signing is more complex though: I'm not aware of a $0 code signing cert, and we certainly do not want to use a self-signed cert if we really need a code signing cert. Validity and rotation would also depend on the issuer's policies. Before continuing with this, it would be good to see what other CNCF projects are doing in this area.
How are the detached signatures published? Is each signature in its own file and included as a release asset?
The gpg signatures are published alongside the artifacts.
from opentelemetry-collector-releases.
Code signing is more complex though: I'm not aware of a $0 code signing cert, and we certainly do not want to use a self-signed cert if we really need a code signing cert. Validity and rotation would also depend on the issuer's policies.
Yes, as far as I know self-signed certificates are pointless in Windows. The code signing certificate must be obtained from a Certificate Authority that is a built-in trusted root in Windows system. It costs money to obtain a certificate like this, the process is often a hassle and certificates have expiration dates so you have to do this periodically (I think it was always annual when I did it in the past).
Technically GPG signatures provide the safety necessary. However all modern Windows systems show big red flags when trying to run an executable or install an MSI that is not code-signed (and being GPG-signed does not help in anyway). I don't know how much of a problem this is in reality. Since we haven't heard about the problems so far from our users, I agree with you there is no rush with Windows-specific code signing.
For my specific use cases (OpAMP's downloaded package authenticity verification) GPG signing should work equally well both for Linux and for Windows.
from opentelemetry-collector-releases.
Update: it seems like there is also a way to sign Docker images such that Kubernetes can verify them: https://medium.com/sse-blog/container-image-signatures-in-kubernetes-19264ac5d8ce
I have never tried this but if this really works it would be great to have this for our Collector Helm chart. Again, I have no immediate need for this personally, but was curious if Kubernetes has anything like this.
from opentelemetry-collector-releases.
Since we haven't heard about the problems so far from our users, I agree with you there is no rush with Windows-specific code signing.
There have been some requests by users in the past, but given that we have no maintainers with easy access to Windows or code signing facilities for Windows, this never moved beyond the "it would be nice to have this".
from opentelemetry-collector-releases.
Related Issues (20)
- v0.95.0 is missing otel-contrib rpm files HOT 5
- SBOM files for some artifacts are almost empty HOT 8
- Release binaries and container images v0.96.0 HOT 1
- Improve testability of release workflows HOT 11
- Add links to core and contrib to Github releases on releases from this repository HOT 33
- rpm upgrade of package overwrites config file
- Add opampextension to contrib distro
- exporters: unknown type: "loki" HOT 3
- Openshift operator 'exporters': unknown type: "loki" HOT 4
- Make the command name consistent across images HOT 8
- Consistency for configuration for distros HOT 3
- More Collector distros or focus on OCB? HOT 6
- Add nop exporter to distributions HOT 3
- Add rpm and deb packages to the otelcol-k8s release HOT 1
- Current workflow allows partial releases when CI fails for a single distro HOT 1
- Remove source duplication to build Windows MSI
- Add MSI smoke tests HOT 2
- Generate message about core and contrib changelogs based on builder manifest
- Ensure builder manifests have consistent versions
- OTE-01-002 WP1: Possible DYLIB Injection on MacOS Client
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opentelemetry-collector-releases.