Draft: Update: check integrity of downloaded tarball before extracting it
This merge request will add GPG integrity checking to the update process (see #6222)
It assumes that the file https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz will have a detached GPG signature that it can find under https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz.sig .
Maintainers can create this signature with e.g.:
gpg --output ISPConfig-3-stable.tar.gz.sig --detach-sig ISPConfig-3-stable.tar.gz
Currently only the stable
file will be checked. For the automatically created nightly
tarball to also have a valid signature, we would probably need to have a trusted GPG private key somewhere on a CI system. That probably should be avoided.
I took the liberty to simplify server/scripts/update_runner.sh
and make some changes suggested by shellcheck
This is still a draft merge request because it needs:
-
some tests with test signatures (done by me) -
We need to collect all GPG keys of all maintainers who should be able to sign the validity of the downloads in security/trustedkeys.gpg