[jboss-jira] [JBoss JIRA] (WFLY-2979) Allow release file end-to-end verification through cryptographic signatures
Tomaz Cerar (JIRA)
issues at jboss.org
Thu Feb 20 09:49:59 EST 2014
[ https://issues.jboss.org/browse/WFLY-2979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tomaz Cerar updated WFLY-2979:
------------------------------
Component/s: Build System
> Allow release file end-to-end verification through cryptographic signatures
> ---------------------------------------------------------------------------
>
> Key: WFLY-2979
> URL: https://issues.jboss.org/browse/WFLY-2979
> Project: WildFly
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: Build System
> Reporter: Alexander E. Fischer
>
> The only means of verification of the downloaded release files are SHA1 and MD5 hash files not even linked on the main download page:
> https://repository.jboss.org/nexus/content/groups/public/org/wildfly/wildfly-dist/8.0.0.Final/
> Both MD5 and SHA1 are considered broken for security use.
> Please provide an OpenPGP (GnuPG/PGP) signature created by the release manager for each release, using SHA256 or higher as signature hash algorithm to enable users the do an end-to-end verification of the downloaded files.
> To do this the release manager needs an OpenPGP certificate (please use RSA and minimal keysize of 2048 Bit, better 4096 Bit). The public certificate should be easily available through your HTTPS site and simultaneously commited to the OpenPGP keyserver network. It wouldn't hurt to display the certficate fingerprint (which is not the same as the key ID) on your HTTPS site as well.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list