Draft: Update: check integrity of downloaded tarball before extracting it (!1538) · Merge requests · ISPConfig / ISPConfig 3

Daniel Jagszent requested to merge d--j/ispconfig3:verify-download into develop Nov 03, 2021

This merge request will add GPG integrity checking to the update process (see #6222)

It assumes that the file https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz will have a detached GPG signature that it can find under https://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz.sig .

Maintainers can create this signature with e.g.:

gpg --output ISPConfig-3-stable.tar.gz.sig --detach-sig ISPConfig-3-stable.tar.gz

Currently only the stable file will be checked. For the automatically created nightly tarball to also have a valid signature, we would probably need to have a trusted GPG private key somewhere on a CI system. That probably should be avoided.

I took the liberty to simplify server/scripts/update_runner.sh and make some changes suggested by shellcheck

This is still a draft merge request because it needs:

some tests with test signatures (done by me)
We need to collect all GPG keys of all maintainers who should be able to sign the validity of the downloads in security/trustedkeys.gpg

Draft: Update: check integrity of downloaded tarball before extracting it

Merge request reports