Signed breakpad releases on Github
52 views
Skip to first unread message
Pawel Kurdybacha
Apr 19, 2023, 8:03:02 AM4/19/23
to Google Breakpad Development
Hi,
I hope you are all well.
I wonder if it would be possible to sign breakpad release on Github mirror?
Currently breakpad is not distributed anywhere outside chromium (as I am aware) and for use cases that only require breakpad, downloading chromium just to extract breakpad seems too much. This is for verification puposes. More details on https://wiki.debian.org/Creating%20signed%20GitHub%20releases
Kind Regards,
Pawel
Mike Frysinger
Apr 19, 2023, 5:35:12 PM4/19/23
to google-br...@googlegroups.com
GH already allows you to download archives any commit, including git tags. it has always supported this.
gitiles also allows you to download an archive of any commit in the repo, although it might not be immediately obvious how.
if your goal is a signed archive to verify, pretty sure the chromium archive doesn't offer that either. which means downloading the chromium tarball to extract the breakpad subdir offers nothing over fetching it directly from the breakpad project.
i'd also argue that having a signed archive/tag doesn't add anything when the key used for signing isn't trusted by anyone else. and i don't think we're going to go through the effort of signing our tags with an official key like what is used for Google Chrome.
-mike
--
You received this message because you are subscribed to the Google Groups "Google Breakpad Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-breakpad...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-breakpad-dev/4df77caf-86d6-40ac-93f6-e078e468fc70n%40googlegroups.com.
Pawel Kurdybacha
Apr 20, 2023, 3:10:10 AM4/20/23
to Google Breakpad Development
Thanks for the reply Mike.
I was not clear about downloading chromium and extracting breakpad. I meant doing that from an official package of particular OS distribution. This is about security compliance when distributing software to clients. Official distro packages are compliant, unsigned Github archives are not.
I was not clear about downloading chromium and extracting breakpad. I meant doing that from an official package of particular OS distribution. This is about security compliance when distributing software to clients. Official distro packages are compliant, unsigned Github archives are not.
KInd Regards,
Pawel
Mike Frysinger
Apr 20, 2023, 12:23:52 PM4/20/23
to google-br...@googlegroups.com
i understand your checklist might say that, but there is zero security difference here. the source of the breakpad code is not verified regardless of how it was obtained. you're basically describing "security laundering". further, you haven't described how the security chain of trust is actually maintained with a signed GH tag. it's trivial for anyone to generate a signed tag, but if you aren't actually verifying it against another trust source, it is completely meaningless.
i'm not against creating a signed tag (we're not going to do dedicated archives), i'm just pointing out that you've only described security theater thus far. security theater is exactly that -- theater.
-mike
To view this discussion on the web visit https://groups.google.com/d/msgid/google-breakpad-dev/8ea76d8c-a9f9-402f-a16c-f839c1a555a8n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages