Downloads should have a way to verify that they are official/authentic

[omajid]

Describe the Problem

I can now download full sources from the VMR:

Unfortunately, if I pass along the tarball to someone, there's no way for them to verify that the download is authentic and I didn't tamper with it.

Describe the Solution

Source-build should publish checksums (sha512, or similar) for release assets, similar to dotnet/installer#15803

As a further enhancement, gpg signatures would be even better, since they would guarantee that the tarball is a blessed and official release without any tampering (even, say GitHub staff, Microsoft staff other than those authorized to handle releases).

Additional Context

This ties into https://learn.microsoft.com/en-us/nuget/concepts/security-best-practices and https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[crummel]

[Planning meeting notes]

• Signing the tag and the tarball are two different things (we should probably do both).
• Typical open-source practice tends to be a detached GPG signature on the entire tarball - this is not the same as a catalog signature which would attest to individual files inside the tarball.
• Nothing in our current process uses GPG signatures but it shouldn't be impossible.
• But we don't really have a way to establish trust for our GPG key - no CA infra for GPG keys.

[mmitche]

@omajid Is the debian-recommended process something like what you're looking for?

[omajid]

Yup, that's exactly it.

Though that document refers to auto-generated tarballs. I think we are still trying to get auto-generated tarballs to work with the VMR? The current workaround is to generate the tarballs via release-automation and attach it to the release.

Related, GitHub recently broken the bit-by-bit-reproducible guarantees with the auto-generated tarballs, so that makes custom tarballs more appealing for signing via GPG.

[MichaelSimons]

FYI, We will be working on getting the auto-generated tarballs to work in preview 4.