Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing signatures in source and binary download of OPAM itself #3577

Closed
vog opened this issue Oct 3, 2018 · 2 comments
Closed

Missing signatures in source and binary download of OPAM itself #3577

vog opened this issue Oct 3, 2018 · 2 comments

Comments

@vog
Copy link

vog commented Oct 3, 2018

While I applaud the efforts to distribute signed packages through OPAM (https://opam.ocaml.org/blog/Signing-the-opam-repository/), signatures for the source and binary tarballs of OPAM itself are still missing.

This is a big hole in the system: How much worth is OPAM checking all package signatures if I can't trust to have an unmodified version of the OPAM tool itself?

One might leverage on e.g. Debian package signatures, but the Debian maintainers have the same problem as myself: How do they verify the next OPAM version? Also, what if I want to use the latest OPAM version during the time it is not yet available on Debian? The same holds for Fedora and all other distros.

So I propose to provide a signed SHA512 checksums file for every OPAM release, that contain the checksums of all source and binary tarballs, using one or two GPG keys that will remain stable over a long time period.

@dra27
Copy link
Member

dra27 commented Jul 23, 2021

This was fixed for opam 2.0.1 - we sign the release binaries and the full sources tarball. We can't control the source artefacts produced by GitHub (but it's always possible to use the full sources tarball instead).

@dra27 dra27 closed this as completed Jul 23, 2021
@vog
Copy link
Author

vog commented Jul 23, 2021

Ok, so back in 2018, this was already fixed 21 days after I created this ticket. Nice. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants