Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FR: provide the signature for '*.sha256' artefacts #3333

Open
bb-Ricardo opened this issue Oct 25, 2023 · 5 comments
Open

FR: provide the signature for '*.sha256' artefacts #3333

bb-Ricardo opened this issue Oct 25, 2023 · 5 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@bb-Ricardo
Copy link

In order to check for new releases and changes it is important to verify the provided signatures.

In this case the checksum file has no signature and we need to download the binary to verify that the signature matches the binary and then we can use the checksum to verify in our systems if the correct version is present.

Best solution would be:

  • create a k8s.io checksum file containing all sha256 checksums for all currently released binaries
  • sign said checksum file using the same mechanism for signing binaries
  • provide downloads for
    • all binaries checksum file
    • signature of checksum file
    • signature certificate of checksum file
@bb-Ricardo bb-Ricardo added the sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. label Oct 25, 2023
@ameukam
Copy link
Member

ameukam commented Oct 25, 2023

cc @kubernetes/release-engineering

@xmudrii
Copy link
Member

xmudrii commented Oct 26, 2023

This seems similar to #3222, I'm going to transfer it to the k/release repo
/transfer release

@k8s-ci-robot k8s-ci-robot transferred this issue from kubernetes/k8s.io Oct 26, 2023
@k8s-ci-robot k8s-ci-robot added needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority labels Oct 26, 2023
@xmudrii
Copy link
Member

xmudrii commented Oct 26, 2023

cc @cpanato @puerco for feedback
/priority important-longterm
/triage accepted

@k8s-ci-robot k8s-ci-robot added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority labels Oct 26, 2023
@xmudrii
Copy link
Member

xmudrii commented Oct 26, 2023

/kind feature

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Oct 26, 2023
@bb-Ricardo
Copy link
Author

Hi,

#3222 (comment)

Just applying this proposed change would highly mitigate the necessity of downloading the binary blobs to verify the signature of each blob.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bb-Ricardo @ameukam @xmudrii @k8s-ci-robot