Signed Releases #84
Comments
|
Here's an MCprep Kaion release as an example: https://github.com/StandingPadAnimations/MCprep-Kaion/releases/tag/3.4.1.3 We use a separate file with the signature, and have GPG compare it with the original file to verify the original has not been edited with the command If I run GPG in the command line (using MCprep Kaion as an example), I get the following output: Here GPG verified the signature is good, which means the file wasn't tampered with. If I download the previous release and then compare, I get the following: Since the zip file is different from the zip file used to make the signature, GPG considers it modified and thus says the signature is invalid. |
|
Thanks for starting this topic thread, and I agree it's an important one to put some attention too. It is certainly a risk that a bad actor could take over a github account and compromise people's systems by putting bad code into a release build that people then get notified to one-click update. I suppose a key question on the breakdown of where things can go wrong, and how those surface areas for attacks can be reduced. In this particular case, what is GPG signing for solving? If bad actor is able to change the zip on github for downloaded, they are just as easily able to update the signing too right (albeit, it's a fair extra step they'd have to go through). Other question is on where gpg is supported, would this create compatibility issues. Now to be clear, I'm all for incremental improvements even if bigger issues still remain to be solved. Just want to first understand how the sequence would work in practice if we were to adopt this feature option. Curious to hear back @StandingPadAnimations! And thanks again for opening this topic |
A bad actor would have to make a new key, with its own public and private key pair. Sure, they could change the public key in future releases, but not for previous releases (at least not in an effective way). In this case, previous releases would fail to update, since the signatures would not match. If for example my account were to get hacked, and the hacker made a new key pair, then (assuming there's a signature check) previous releases would fail to update, as they would check if new versions are signed with a specific key or not. They would have to convince users to manually update and ignore any warnings the updater might give regarding security. While some users may fall for this, the vast majority would most likely feel uncomfortable with ignoring a security warning. In addition, the key check isn't just important for hacked accounts, it's important to verify that the release truly came from Github/Gitlab/whatever, and not some different source pretending to be Github.
GPG is preinstalled on most Linux systems, but is also supported on MacOS and Windows. |
|
Thanks for sharing that. This For this to work, would an addon developer need to then package a copy of GPG binaries (since it's not installed, only supported, on MacOS and Windows)? That also introduces a decent chunk of complexity, needing to package an executable (or telling developers how to package it, if it's an optional functionality we don't force all users of this repo to leverage). |
The actual file changes with each release (since the contents of the zip file change) but it's signed with the same key
There is a Python module that does this, but looking into it further it does require the binaries to be installed, so I'll have to see if there's a way to verify signatures without shipping binaries |
Some addons like MCprep Kaion have signed releases as an added security measure. It would be nice if these signatures could be checked and verified.
Most of the time GPG is used to sign the releases, so this would mean an extra Python module has to be installed by the addon (at least from my quick google searching), so perhaps this could be something optional so developers wouldn't have to forcefully installing extra packages
The text was updated successfully, but these errors were encountered: