Skip to content

Installation instructions: PGP key from same source as signature #6728

New issue
New issue
Open
Open
Installation instructions: PGP key from same source as signature#6728
Labels
docsgolang/build systemRelated to the go language and compilersecurityGeneral label for issues/PRs related to the security of the software
@jpentland

Description

@jpentland
jpentland
opened on Jul 13, 2022

Background

In the installation instructions, Roasbeef's PGP key is obtained from a github gist, and then used to verify the release, also downloaded from github. Since the release is already being downloaded over SSL, this effectively means that the verification step adds no additional security.

Note: This was introduced in the pr #3377:

"In this commit, we update the link to the security PGP key to a gist. We
do this as recent DoS attacks against popular keservers have rendered
many of them unresponsive or only partially operating. As a temporary
measure, we link to a gist until an alternative solution is found."

Your environment

Downloading LND from the releases page on github.

Expected behaviour

If the PGP key was obtained from a different source, that would at least mean that github would have to collude with that source to forge a release.

Actual behaviour

See background

Metadata

Metadata

Assignees

No one assigned

    Labels

    docsgolang/build systemRelated to the go language and compilersecurityGeneral label for issues/PRs related to the security of the software

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions