docs(gpg-verification): a signature proves the signer, not the version#43
Merged
Conversation
gpgv proves 'signed by a trusted key', not 'is the requested version'. When a mutable store (cache/mirror/proxy) sits in front of the origin, a validly-signed older release under a newer coordinate passes verification and silently downgrades the build. Document binding the artifact to the requested version (assert the tarball's top-level dir / checksum-list entry) after gpgv, and note that checksum-list formats get this for free while detached-sig formats don't. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Adds a section to
gpg-verification.md:gpgv/gpg --verifyproves signed by a trusted key, not is the requested version. A validly-signed older release placed under a newer name passes verification — harmless straight from the origin, but exploitable once a mutable store (package-registry cache, mirror, artifact proxy) sits in front of it (signed-downgrade).Documents binding the artifact to the requested version after the signature checks out (assert the tarball's sole top-level dir / checksum-list entry ==
name-<version>), and notes checksum-list formats (Node SHASUMS) get this for free while detached-sig formats (php/nginx) don't.Distilled from a real fix in the central release-key image (version-binding assertion added to
get-verified-releaseafter an adversarial review found gpgv alone left the gap).