Skip to content

Instantly share code, notes, and snippets.

View keybase.md

Keybase proof

I hereby claim:

  • I am dvz on github.
  • I am devilshakerz (https://keybase.io/devilshakerz) on keybase.
  • I have a public key whose fingerprint is DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC

To claim this, I am signing this object:

@dvz
dvz / protocol.md
Created Jun 29, 2017
Package Signing Protocol
View protocol.md

The Protocol allows to mitigate the following risks related to end user packages:

  • forged or modified packages by third parties after gaining control of Project-managed platforms or intercepting requests from end users,
  • legitimate packages swapped with ones containing unauthorized modifications as a result of a man-in-the-middle attack or checksum collision attack,
  • unauthorized releases from Project's Team members with access to Project-managed platforms or without Project's Team consensus,
  • packages resulting from valid release process but containing content questionable by some Project's Team members.

Definitions

Team Member Keys

Personal keys owned by Team members and listed on the official About the Team page.

View gist:90c9bd97b9f5b0970712
### Keybase proof
I hereby claim:
* I am devilshakerz on github.
* I am devilshakerz (https://keybase.io/devilshakerz) on keybase.
* I have a public key whose fingerprint is DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC
To claim this, I am signing this object:
You can’t perform that action at this time.