Opened 11 years ago

Closed 8 years ago

Last modified 8 years ago

#787 closed defect (fixed)

Instructions should include a recommendation that users check signatures

Reported by: anongoblin Owned by:
Priority: major Milestone: 1.0
Component: documentation Keywords:
Cc: Alex Jordan Parent Tickets:


On , the instructions for deploying mediagoblin itself are:

git clone git://
cd mediagoblin
git submodule init && git submodule update

It would probably be a good idea to recommend that users make sure that they're getting the real mediagoblin code, and not a trojan or something. One part of doing that would be to point them at the https URL (see #786), but since tags are signed, it might be a good idea to include instructions for checking signed tags too.

Attachments (2)

0001-Document-how-to-verify-git-tag-signatures.patch (2.4 KB ) - added by Alex Jordan 8 years ago.
0001-Document-how-to-verify-git-tag-signatures-v2.patch (3.0 KB ) - added by Alex Jordan 8 years ago.
patch v2

Download all attachments as: .zip

Change History (15)

comment:1 by Simon Fondrie-Teitler, 11 years ago

Parent Tickets: 786

comment:2 by anongoblin, 11 years ago

Probably, the instructions should also include the instructions to check out a tag, so that people following the "v0.5.1" installation instructions don't wind up installing the latest patches on git master.

comment:3 by Christopher Allan Webber, 10 years ago

So there are kind of two things here, one of them is to tell users to check the GPG key... good idea! That suggestion should be added to the docs.

Here's my key fingerprint, in case that helps:

Key fingerprint = 510A 8628 E2A7 7678 8F8C  709C 4BC0 2592 5FF8 F4D3

Secondly is updating the docs to check out a specific tag is a good idea... though it may require some rethinking of how the deployment docs are written, particularly on "how to upgrade ot a new version".

comment:4 by Christopher Allan Webber, 10 years ago

Also the "checkout from tags" bit could be its own ticket.

comment:5 by Jim Campbell, 9 years ago

I do like the idea of being able to verify software installed via pip. I'm entirely unsure how to do this, though.

with regards to anongoblin's initial suggestion that we present users with a way to not install from master, this is fixed in the current docs version. We request that users clone the stable branch:

git clone -b stable

I'll leave this ticket open for now, but would appreciate more direction on what should be checked via the GPG key. I'm comfortable with verifying a single file via GPG, but am not certain what should be verified if someone is pulling-in the entire MediaGoblin stack.

comment:6 by Loic Dachary, 8 years ago

Parent Tickets: 786

comment:7 by Alex Jordan, 8 years ago

Cc: Alex Jordan added

jcampbell: I believe anongoblin is suggesting that the Git tag be verified, not an individual file. IIRC you can do this with git tag --verify $tag.

(The longer explanation is that verifying a Git tag essentially serves to verify the entire source checkout, because if any file in the tree were to be tampered with, that would change the SHA1s of commit and tree objects, which would then not be referenced by the signed tag.)

Of course, that doesn't cover all the stuff that Pip is downloading, but it's a start...

comment:8 by Alex Jordan, 8 years ago

Owner: set to Alex Jordan
Status: newin_progress

I just attached a patch. Note that it *does not work yet*. I need someone to explain to me why the origin/master branch contains work that the v0.9.0 tag does not, and then I can fix the documentation.

Also, I'm assuming that all releases are signed by cwebber. If this isn't the case, that needs to be fixed as well.

comment:9 by Christopher Allan Webber, 8 years ago

So, strugee asked why we have the tags and master and stable, so here's clarification:

  • origin/master: Contains our latest development code, we're working on it towards the next release
  • vX.X.X tag: release with vX.X.X version
  • stable: latest release, possibly with a couple of small cleanup commits on top of it (this allows users to have an easy branch to keep their mediagoblin checkout set to, and also allows us to make minor documentation fixes and etc without putting out a full new release)

comment:10 by Alex Jordan, 8 years ago

Whoops, I typo'd. I meant origin/stable, not origin/master. In any case, you answered my question. Thanks! I'll attach a new patch shortly.

by Alex Jordan, 8 years ago

patch v2

comment:11 by Alex Jordan, 8 years ago

Owner: Alex Jordan removed
Status: in_progressreview

Aaaaand done! This is ready for review.

comment:12 by Christopher Allan Webber, 8 years ago

Resolution: fixed
Status: reviewclosed

Looks great! Thanks Strugee! I merged it!

comment:13 by Christopher Allan Webber, 8 years ago

Milestone: 1.0
Note: See TracTickets for help on using tickets.