Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Signature verification using minisign #1194

Open
elchenberg opened this issue Apr 23, 2024 · 8 comments
Open

[FEATURE] Signature verification using minisign #1194

elchenberg opened this issue Apr 23, 2024 · 8 comments

Comments

@elchenberg
Copy link

Is your feature request related to a problem? Please describe.

I install the MinIO client using binary from the MinIO download page, similar to what is described here: https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart

I would like to verify the signature using minisign. I found the public key in this old issue #382 and it still works.

I wonder where to check for the new official public key if it ever changes and my installation script breaks.

Describe the solution you'd like

To quote from #382:

This key should be uploaded to https://dl.min.io/ and some information about signature verification should be added to documentation.

I would be happy to do the second part of adding information about signature verification to the documentation.

Describe alternatives you've considered

Additional context
@elchenberg elchenberg added the triage Needs triage and scheduling label Apr 23, 2024
@ravindk89
Copy link
Collaborator

ravindk89 commented Apr 23, 2024
edited
Loading

Hm - @harshavardhana , @kannappanr - Do we have somewhere we stash the pubkey for verification purposes?

@elchenberg
Copy link
Author

For example, I think RabbitMQ has a very good documentation regarding their signing keys and how to verify the signatures: https://www.rabbitmq.com/docs/signatures

@djwfyi
Copy link
Collaborator

djwfyi commented Apr 24, 2024

See minio/minio#16857

Per that PR, the minisign pubkey is maintained here:
https://github.com/minio/minio/blob/77d5331e85962f5e00459c98f16137181ba08180/cmd/update.go#L555

@elchenberg
Copy link
Author

Would it be okay if I open a PR in the minio/pkger repository to add documentation on how to verify checksums and signatures of the downloaded binaries? Or should I open an issue over there to ask this question? 🙂

It looks to me as if this is used to generate this page: https://min.io/download

@ravindk89
Copy link
Collaborator

One step at a time - we're looking to see if we can get the public key placed in a well known spot.

From there we can update both the web docs and, as necessary, the Download page to discuss signature verification. It may require us first updating the website to ensure we maintain a certain flow to the page.

We appreciate your enthusiasm though :)

@elchenberg
Copy link
Author

elchenberg commented Apr 24, 2024
edited
Loading

Sounds good! There is no urgency from my side. Sorry that I have been pushy (unintentionally). I just did not want to demand changes without offering my help. 🙂

@ravindk89
Copy link
Collaborator

No worries - we are deeply grateful for your engagement

@djwfyi djwfyi removed the triage Needs triage and scheduling label May 13, 2024
@ravindk89
Copy link
Collaborator

@harshavardhana @kannappanr ping on this, I know it's not the highest priority but it would be great to get the minisign key into dl.min.io somewhere

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ravindk89 @elchenberg @djwfyi