Introduce released package signatures about opentelemetry-collector-releases HOT 4 OPEN

Not sure I can provide much help, but here are some comments.

GPG signature is relatively easy and straightforward to accomplish: create a key, publish it to public servers, and give the keys to a few maintainers. The release script would then generate the sums, and will sign the artifacts (including the sums) with the gpg key. The gpg key itself can be stored in the same repository, with the passphrase to decrypt it being a secret in the repository.

Code signing is more complex though: I'm not aware of a $0 code signing cert, and we certainly do not want to use a self-signed cert if we really need a code signing cert. Validity and rotation would also depend on the issuer's policies. Before continuing with this, it would be good to see what other CNCF projects are doing in this area.

How are the detached signatures published? Is each signature in its own file and included as a release asset?

The gpg signatures are published alongside the artifacts.

from opentelemetry-collector-releases.

Code signing is more complex though: I'm not aware of a $0 code signing cert, and we certainly do not want to use a self-signed cert if we really need a code signing cert. Validity and rotation would also depend on the issuer's policies.

Yes, as far as I know self-signed certificates are pointless in Windows. The code signing certificate must be obtained from a Certificate Authority that is a built-in trusted root in Windows system. It costs money to obtain a certificate like this, the process is often a hassle and certificates have expiration dates so you have to do this periodically (I think it was always annual when I did it in the past).

Technically GPG signatures provide the safety necessary. However all modern Windows systems show big red flags when trying to run an executable or install an MSI that is not code-signed (and being GPG-signed does not help in anyway). I don't know how much of a problem this is in reality. Since we haven't heard about the problems so far from our users, I agree with you there is no rush with Windows-specific code signing.

For my specific use cases (OpAMP's downloaded package authenticity verification) GPG signing should work equally well both for Linux and for Windows.

from opentelemetry-collector-releases.

Update: it seems like there is also a way to sign Docker images such that Kubernetes can verify them: https://medium.com/sse-blog/container-image-signatures-in-kubernetes-19264ac5d8ce
I have never tried this but if this really works it would be great to have this for our Collector Helm chart. Again, I have no immediate need for this personally, but was curious if Kubernetes has anything like this.

from opentelemetry-collector-releases.

Since we haven't heard about the problems so far from our users, I agree with you there is no rush with Windows-specific code signing.

There have been some requests by users in the past, but given that we have no maintainers with easy access to Windows or code signing facilities for Windows, this never moved beyond the "it would be nice to have this".

from opentelemetry-collector-releases.