8000 build: when building from a tag, verify the tag's signature and working tree by cfm · Pull Request #7478 · freedomofpress/securedrop · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

build: when building from a tag, verify the tag's signature and working tree #7478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 1, 2025
Merged

build: when building from a tag, verify the tag's signature and working tree #7478

merged 1 commit into from
May 1, 2025

Conversation

cfm
Copy link
Member
@cfm cfm commented Mar 18, 2025
edited
Loading

Status

Ready for review

Description of Changes

securedrop-apt-prod's pull-request template refers to checking that build-logs demonstrates that the intended tag was built. But that's not what we get from:

securedrop/builder/build-debs.sh

Line 7 in dd90e52

git --no-pager log -1 --oneline --show-signature --no-color

  1. git log --show-signature verifies the signature on the tag's commit, not the tag itself, which still has to be verified manually with git tag -v.
  2. Either verification is enforced on history, not on the working tree actually being built from.

This pull request explicitly verifies both (1) and (2).

Testing

Review along with freedomofpress/securedrop-client#2431.

  • New checks are visible in CI.
  • Check out 2.12.0 and run make build-debs, and confirm that 2.12.0 is verified by tag rather than by commit.

Deployment

No deployment considerations.

  • If we adopt this change, we should check what other build scripts might need it too.

@cfm cfm requested a review from a team as a code owner March 18, 2025 19:22
@cfm cfm added this to SecureDrop Mar 18, 2025
@cfm cfm moved this to Ready For Review in SecureDrop Mar 18, 2025
legoktm
legoktm reviewed Mar 21, 2025
View reviewed changes
Copy link
Member
@legoktm legoktm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code is fine, but want to see if we can get in sync with the client repo as well.

@cfm cfm moved this from Ready For Review to Under Review in SecureDrop Apr 16, 2025
@cfm cfm self-assigned this Apr 16, 2025
@cfm cfm force-pushed the actually-verify-tag branch from 39b532f to bb730e5 Compare April 29, 2025 22:39
@cfm @legoktm
build: when building from a tag, verify the tag's signature and worki…
ccad4dd 
…ng tree

"git log --show-signature" verifies the signature on the tag's commit,
not the tag itself.  Either verification is enforced on history, not on
the working tree actually being built from.

Co-authored-by: Kunal Mehta <legoktm@debian.org>
@cfm cfm force-pushed the actually-verify-tag branch from bb730e5 to ccad4dd Compare April 29, 2025 22:41
cfm added a commit to freedomofpress/securedrop-client that referenced this pull request Apr 29, 2025
@cfm
build: replicate freedomofpress/securedrop's verification of head, ta…
8eb2930 
…g, and working tree

Per freedomofpress/securedrop#7478.
@cfm cfm mentioned this pull request Apr 29, 2025
Merged
1 task
@cfm cfm moved this from Under Review to In Progress in SecureDrop Apr 30, 2025
@cfm cfm moved this from In Progress to Ready For Review in SecureDrop Apr 30, 2025
@cfm cfm requested a review from legoktm April 30, 2025 18:57
@cfm cfm assigned legoktm and unassigned cfm Apr 30, 2025
@legoktm legoktm added this pull request to the merge queue May 1, 2025
Merged via the queue into develop with commit 216a5ca May 1, 2025
45 checks passed
@github-project-automation github-project-automation bot moved this from Ready For Review to Done in SecureDrop May 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@legoktm legoktm legoktm approved these changes

Assignees

@legoktm legoktm

Labels
build process
Projects
SecureDrop
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cfm @legoktm
0