-
Notifications
You must be signed in to change notification settings - Fork 300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Signature verification using minisign #1194
Comments
Hm - @harshavardhana , @kannappanr - Do we have somewhere we stash the pubkey for verification purposes? |
For example, I think RabbitMQ has a very good documentation regarding their signing keys and how to verify the signatures: https://www.rabbitmq.com/docs/signatures |
Per that PR, the minisign pubkey is maintained here: |
Would it be okay if I open a PR in the minio/pkger repository to add documentation on how to verify checksums and signatures of the downloaded binaries? Or should I open an issue over there to ask this question? 🙂 It looks to me as if this is used to generate this page: https://min.io/download |
One step at a time - we're looking to see if we can get the public key placed in a well known spot. From there we can update both the web docs and, as necessary, the Download page to discuss signature verification. It may require us first updating the website to ensure we maintain a certain flow to the page. We appreciate your enthusiasm though :) |
Sounds good! There is no urgency from my side. Sorry that I have been pushy (unintentionally). I just did not want to demand changes without offering my help. 🙂 |
No worries - we are deeply grateful for your engagement |
@harshavardhana @kannappanr ping on this, I know it's not the highest priority but it would be great to get the minisign key into dl.min.io somewhere |
Is your feature request related to a problem? Please describe.
I install the MinIO client using binary from the MinIO download page, similar to what is described here: https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart
I would like to verify the signature using
minisign
. I found the public key in this old issue #382 and it still works.I wonder where to check for the new official public key if it ever changes and my installation script breaks.
Describe the solution you'd like
To quote from #382:
I would be happy to do the second part of adding information about signature verification to the documentation.
Describe alternatives you've considered
Additional context
The text was updated successfully, but these errors were encountered: