Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-6205

MariaDB source releases should be signed

    XMLWordPrintable

    Details

      Description

      Current MariaDB source releases at mariadb.org and mirrors are not signed. There is a MD5SUM file next to the source releases, which is useful to check that the download is not corrupted, but only a OpenPGP signature would also protect against a possible man-in-the-middle attack.

      Please use the current packaging key used to sign binary releases:

      pub   1024D/1BB943DB 2010-02-02
      uid                  MariaDB Package Signing Key <package-signing-key@mariadb.org>

      Use it to sign the sources, e.g.

      gpg --detach-sign --armor mariadb-5.5.37.tar.gz

      Publish the resulting mariadb-5.5.37.tar.gz.asc file next to the actual source file.

      For example the Debian uscan tool that watches for new releases and downloads them will support automated signature checking and it will be easy to implement if there is a file named mariadb-5.5.37.tar.gz.asc sitting next to the source release file. Uscan info at https://wiki.debian.org/debian/watch/#Cryptographic_signature_verification

      Oracle publishes source signatures for MySQL, e.g. https://dev.mysql.com/downloads/gpg.php?file=mysql-5.6.17.tar.gz and they advertise it on their download page at https://dev.mysql.com/downloads/mysql/ MariaDB could do it slightly better by using a stronger signing key.

        Attachments

          Activity

            People

            Assignee:
            dbart Daniel Bartholomew
            Reporter:
            otto Otto Kekäläinen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: