-
-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TL;DR needed for Signature Verification page #312
Comments
Thanks, we'll try to simplify it. I'll also try to get simpler instructions on our new website. |
Appreciate it, thanks @mholt . I tried to work through some of it, but even the commands as shown appear to be out of date, e.g. |
Sure, we can give a one- or two-liner, but I don't agree that a one-liner will help the concerned user with security. The process is multi-step out of necessity because you need you verify every segment of the proof. You received the asset and the signature from the same source, i.e. GitHub release page. An attacker who can falsify the asset can also falsify the signature. The page attempts at explaining how to validate each and every aspect. Here are the risks at hand:
The article attempts to help you identify each "leg" of the interaction.
For now, the one-liner is: cosign verify-blob \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-name "Release" \
--certificate-github-workflow-ref refs/tags/${TAG} \
--certificate-identity-regexp caddyserver/caddy \
--certificate ./caddy_2.6.4_checksums.txt.pem \
--signature ./caddy_2.6.4_checksums.txt.sig \
--verbose \
./caddy_2.6.4_checksums.txt We'll add it to the page. |
I think as I said @mohammed90 for post people, something to encourage them to do the equivalent of Already too many people don't even do Just like with other things in IT security, the sufficiently paranoid can take further steps, but really you need to cater for the majority who when faced with a multi-step process will just say "* that !" and download the binary anyway. Don't get me wrong, in principle I agree 100% with what you are saying .... but I think we need to have a meeting with Mr Reality here when it comes to Average Joe. |
OK, but take that up with the cryptographic engineers or at least with the sigstore project because there's not much we can do about that. I think Mohammed's answer is a great one and we will absolutely use it. |
…d add tldr Closes TL;DR needed for Signature Verification page #312
Coming to this from the perspective someone used to the
gpg --verify
world and new toSigstore
, there is an awful lot of waffle on the signature verification page.A TL;DR at the top of the page is desperately needed, ideally with a one-liner (if possible) but if not just a straightforward TL;DR "this is the list of commands".
If you really want to help people embrace
Sigstore
as the "new best thing", then making them figure out what the process is through a long rambling page is not the way to do it. At the moment, frankly, I'm left with the impression that I wish Caddy just published a GPG sig like everyone else because as you present it,Sigstore
verification looks awfully time-consuming and induces the conclusion that I "can't be bothered", whish of course is technically wrong but humans are humans... don't make it difficult to figure out what needs to be done !The text was updated successfully, but these errors were encountered: