Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include sha256 hashes of release downloads in announcement communications #16

Open
gpshead opened this issue Dec 15, 2021 · 4 comments
Open

Include sha256 hashes of release downloads in announcement communications #16

gpshead opened this issue Dec 15, 2021 · 4 comments

Comments

@gpshead
Copy link
Member

gpshead commented Dec 15, 2021

BPO 46077
Nosy @gpshead, @ydroneaud

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2021-12-15.01:40:48.306>
labels = ['deferred-blocker', '3.9', '3.10', '3.11']
title = 'Include sha256 hashes of release downloads in announcement communications'
updated_at = <Date 2021-12-15.08:49:37.120>
user = 'https://github.com/gpshead'

bugs.python.org fields:

activity = <Date 2021-12-15.08:49:37.120>
actor = 'ydroneaud'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = []
creation = <Date 2021-12-15.01:40:48.306>
creator = 'gregory.p.smith'
dependencies = []
files = []
hgrepos = []
issue_num = 46077
keywords = []
message_count = 1.0
messages = ['408579']
nosy_count = 2.0
nosy_names = ['gregory.p.smith', 'ydroneaud']
pr_nums = []
priority = 'deferred blocker'
resolution = None
stage = None
status = 'open'
superseder = None
type = None
url = 'https://bugs.python.org/issue46077'
versions = ['Python 3.9', 'Python 3.10', 'Python 3.11']
@gpshead
Copy link
Member Author

gpshead commented Dec 15, 2021

The announcement email list (https://mail.python.org/archives/list/[email protected]/) and other places we make announcements beyond just the release pages like https://www.python.org/downloads/release/python-3101/ should include a list of sha256 hashes of the release binaries in the announcement text.

This serves as an alternative confirmation that nothing has changed as such announcements are widely distributed and archived by independent parties and individuals and can thus convey a level of trust that a hash listed on the downloads page cannot (where an attacker would simply modify both).

Yes there is a gpg signature on the downloads. I encourage people to use that. But this provides an alternate distributed mechanism to verify that nothing has changed at all since the release announcement. Something a gpg signature cannot fully do (consider this protection against the possibility of new signed binary being put into its place by a compromised key/signer/builder/RM before anyone happens to notice and poke around).

A simple table of:

filename.tar.gz | sha256 hash
filename.msi | sha256 hash
filename.dmg | sha256 hash
...

At the end of the announcement email/post would suffice.

Less of an issue on source packages as those can be verified against the git repo. But it's nice for people to know if binaries change without an announcement and explanation and is easy for us to provide.

Bonus points if the release announcement email body itself is signed (if that is even feasible per our release signing GPG key management).

[context: see recent python-dev subject: Python release announcement format]

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
@pablogsal
Copy link
Member

⚠️ This issue has been updated from 'deferred-blocker' to 'release blocker' as we are past beta1. This issue will block the next release (Python 3.11.0 beta 2). ⚠️

@radarhere radarhere mentioned this issue Jun 18, 2022
Closed
@tiran
Copy link
Member

tiran commented Jul 8, 2022

I have a proposal for a slightly simpler approach. Instead of a table I recommend to use the BSD-style checksum format. It's an established file format that contains digest algorithm, file name and digest per line. Standard sha256sum can create and validate the file:

$ sha256sum --tag [pP]ython* > sha256sum.txt
$ cat sha256sum.txt
SHA256 (python-3.10.5-amd64.exe) = 69165821dad57c6d8d29ec8598933db7c4498f8ef9d477fa13c677fd82567b58
SHA256 (python3105.chm) = d017a9edad1857eb3cee1eeec89de75742aec20da09957f6eff2bffe29c3d9e8
SHA256 (python-3.10.5-embed-amd64.zip) = a58959ac2b636105fa7c2308508c281f578a70fda15249a04d04b4d26b5ea2cf
SHA256 (python-3.10.5-embed-win32.zip) = af0b0aabab13faaa149f66793457aa4866517aa07552ab93a684f08c864cc4c9
SHA256 (python-3.10.5.exe) = 66840f49275bf6ca66a40f1faf9b79ff135779109086f59b25452a480ec54ba4
SHA256 (python-3.10.5-macos11.pkg) = 36ff0f2ef1fdd8603042576d206224a76db32a0000e8332877751f86d98abc53
SHA256 (Python-3.10.5.tar.xz) = 8437efd5b106ef0a75aabfbf23d880625120a73a86a22ade4d2e2e68d7b74486
SHA256 (Python-3.10.5.tgz) = 18f57182a2de3b0be76dfc39fdcfd28156bb6dd23e5f08696f7492e9e3d0bf2d

validation

$ sha256sum --check sha256sum.txt 
python-3.10.5-amd64.exe: OK
python3105.chm: OK
python-3.10.5-embed-amd64.zip: OK
python-3.10.5-embed-win32.zip: OK
python-3.10.5.exe: OK
python-3.10.5-macos11.pkg: OK
Python-3.10.5.tar.xz: OK
Python-3.10.5.tgz: OK

validation with missing files

$ rm *.exe *.chm
$ sha256sum --check --ignore-missing sha256sum.txt 
python-3.10.5-embed-amd64.zip: OK
python-3.10.5-embed-win32.zip: OK
python-3.10.5-macos11.pkg: OK
Python-3.10.5.tar.xz: OK
Python-3.10.5.tgz: OK

@pablogsal pablogsal transferred this issue from python/cpython Jul 11, 2022
@pablogsal
Copy link
Member

Transferred from the CPython repo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gpshead @tiran @hugovk @pablogsal