Skip to content

Instantly share code, notes, and snippets.

@HacKanCuBa

HacKanCuBa/properly-signing-gh-release-packages.md

Last active September 21, 2020 16:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save HacKanCuBa/6fabded3565853adebf3dd140e72d33e to your computer and use it in GitHub Desktop.
Save HacKanCuBa/6fabded3565853adebf3dd140e72d33e to your computer and use it in GitHub Desktop.
Download ZIP
Properly signing Github releases
Raw
properly-signing-gh-release-packages.md

Github automatically generates .tar.gz and .zip packages of the repository when a release or pre-release is created under releases. However, these packages are not signed! The tag might be signed but if a user downloads one of those, there's no true certification of its content, rather than pure trust on Github.

However, you can edit a release after it's generated to upload files, and this is how you upload signature files for those packages (as I usually do). But, to sign them, you need to first download them and, of course, verify them! Otherwise, you'll be signing your trust to Github without checking!

I will be using a tool I created to do recursive blake2 checksums called b2rsum. You can use any other tool that does the same if you want.

To properly verify those packages, do the following:

  1. Create a temporal directory to store all files, lets call it /tmp/github.
  2. Copy your source code to a subdirectory there: cp -r ~/code/myproject /tmp/github/orig.
  3. Remove files that aren't used (such as compiled files and gitignored files) and the .git directory in /tmp/github/orig. This is to make verification easier with no false positives.
  4. Go into the directory and create a checksum file:
cd /tmp/github/orig
b2rsum -o .
  1. Go back up and download a Github package, then extract it:
cd /tmp/github
wget -O {package}.tar.gz https://github.com/{user}/{project}/archive/{tag}.tar.gz
tar -xf {package}.tar.gz
  1. Go into the extracted directory and verify that all the files that are supposed to be there, are there. And that they are the exact same as intended:
cd /tmp/github/{project-dir}
b2rsum -c /tmp/github/orig/BLAKE2SUMS
  1. Create a checksums file for this directory: b2rsum -o ..
  2. Go into the orig dir and check against that checksums file that no extra file was added to the package:
cd /tmp/github/orig
b2rsum /tmp/github/{project-dir}/BLAKE2SUMS
  1. If all checks went well, now the package can be signed. Discard the extracted dir:
cd /tmp/github
rm -rf {project-dir}
    1. Sign using minisign (recommended):
minisign -Sm {package}.tar.gz
    1. Sign using GPG:
gpg --sign --detach-sign --interactive --verbose --digest-algo sha512 -o {package}.tar.gz.sig {package}.tar.gz
  1. That's it! Repeat for the other package (.zip in this example) and upload the signatures to the release.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment