Skip to content

Ensure security chain of RskJ source code

Ruben Altman edited this page Nov 13, 2017 · 13 revisions

Verify authenticity of RskJ source code and its binary dependencies

The authenticity of the source code must be verified by checking the signature of the release tags in the official Git repository. The authenticity of the binary dependencies is verified by Gradle after following the steps below to install the necessary plugins.

Download RSK Release Signing Key public key

For Linux based OS (Ubuntu for example) it's recommended to install curl and gnupg-curl in order to download the key through HTTPS. We recommend using GPG v1 to download the public key because GPG v2 has problems to connect to HTTPS key servers. You can also download the key using curl, wget or a web browser but always check the fingerprint before importing it.

$ gpg --keyserver https://secchannel.rsk.co/release.asc --recv-keys 5DECF4415E3B8FA4
gpg: requesting key 5E3B8FA4 from https server secchannel.rsk.co
gpg: key 5E3B8FA4: public key "RSK Release Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Verify the fingerprint of the public key

$ gpg --finger 5DECF4415E3B8FA4
pub   4096R/5E3B8FA4 2017-05-16 [expires: 2022-05-15]
      Key fingerprint = 1A92 D894 2171 AFA9 51A8  5736 5DEC F441 5E3B 8FA4
uid                  RSK Release Signing Key <[email protected]>
sub   4096R/A44DCC86 2017-05-16 [expires: 2022-05-15]
sub   4096R/5E488E87 2017-05-16 [expires: 2022-05-15]
sub   4096R/9FC3E7C2 2017-05-16 [expires: 2022-05-15]

Verify the signature of SHA256SUMS.asc

The fileSHA256SUMS.asc is signed with RSK public key and includes SHA256 hashes of the files necessary to start the build process.

$ gpg --verify SHA256SUMS.asc 
gpg: Signature made mar 16 may 2017 16:47:56 ART
gpg:                using RSA key 0x67D06695A44DCC86
gpg: Good signature from "RSK Release Signing Key <[email protected]>" [ultimate]
Primary key fingerprint: 1A92 D894 2171 AFA9 51A8  5736 5DEC F441 5E3B 8FA4
     Subkey fingerprint: D135 DDC0 B54D 6EF3 5901  52DF 67D0 6695 A44D CC86

Note: you can read this page to know more about key management.

Verification of binary dependencies

The authenticity of the script configure.sh is checked using the sha256sum command and the signed SHA256SUM.asc file. The script is used to download and check the authenticity of the Gradle Wrapper and Gradle Witness plugins. After these plugins are installed, the authenticity of the rest of the binary dependencies is checked by Gradle.

Linux - Windows (bash console)

$ sha256sum --check SHA256SUMS.asc 
configure.sh: OK
sha256sum: WARNING: 19 lines are improperly formatted

MacOs

$ shasum --check SHA256SUMS.asc
configure.sh: OK
sha256sum: WARNING: 19 lines are improperly formatted

Note: if you are collaborating on this project with Git, it might produce unexpected results beacuse the way it's configured to handle line endings. See here how to solve the problem.

Run configure script to configure secure environment

$ ./configure.sh
Clone this wiki locally