Skip to content

docs(gpg-verification): a signature proves the signer, not the version#43

Merged
CybotTM merged 1 commit into
mainfrom
retro/gpgv-version-binding
Jul 15, 2026
Merged

docs(gpg-verification): a signature proves the signer, not the version#43
CybotTM merged 1 commit into
mainfrom
retro/gpgv-version-binding

Conversation

@CybotTM

@CybotTM CybotTM commented Jul 15, 2026

Copy link
Copy Markdown
Member

Adds a section to gpg-verification.md: gpgv/gpg --verify proves signed by a trusted key, not is the requested version. A validly-signed older release placed under a newer name passes verification — harmless straight from the origin, but exploitable once a mutable store (package-registry cache, mirror, artifact proxy) sits in front of it (signed-downgrade).

Documents binding the artifact to the requested version after the signature checks out (assert the tarball's sole top-level dir / checksum-list entry == name-<version>), and notes checksum-list formats (Node SHASUMS) get this for free while detached-sig formats (php/nginx) don't.

Distilled from a real fix in the central release-key image (version-binding assertion added to get-verified-release after an adversarial review found gpgv alone left the gap).

gpgv proves 'signed by a trusted key', not 'is the requested version'. When a
mutable store (cache/mirror/proxy) sits in front of the origin, a validly-signed
older release under a newer coordinate passes verification and silently
downgrades the build. Document binding the artifact to the requested version
(assert the tarball's top-level dir / checksum-list entry) after gpgv, and note
that checksum-list formats get this for free while detached-sig formats don't.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@sonarqubecloud

Copy link
Copy Markdown

@CybotTM
CybotTM merged commit f6d161c into main Jul 15, 2026
17 checks passed
@CybotTM
CybotTM deleted the retro/gpgv-version-binding branch July 15, 2026 00:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant