caiok commented on issue #420: Issue 419: dockerfile - auto verify asc file GPG_KEY URL: https://github.com/apache/bookkeeper/pull/420#issuecomment-321244160 @zhaijack What kind of connection error did you get? Your second solution don't add any further security, because you are downloading that file from the same (potentially compromised) source. Another way could be to place key fingerprint of releases signers in a file of the github repo (e.g. bookkeeper/KEYS or whatever) that will keep the key fingerprint of every released version in a easily parsable format (e.g. "4.5.0\tB3D56514") and download it via github static. I don't know if is a feasible solution, but it will provide the same original security level (for compromise the released files one should gather write access to released files and to the github repo, that is much more difficult). The update of this file should be done in the release procedure. It is very similar to the original solution (someone should commit an update to a file), but in this case you don't need to update docker image but a general utility file. @sijie What do you think about it? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
With regards, Apache Git Services
