signature for registry files #10211
Labels
A-registries
Area: registries
C-feature-request
Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`
S-triage
Status: This issue is waiting on initial triage.
Problem
In registry, files are served with only checksum. I'm worrying about "supply chain attack" when developers are using 3rd party mirror of registry. Since registry can define custom dl link for replacing the origin aws s3.
this should not be confused with #4768.
This issues is talking about how to ensure the 3rd party mirror are serving the crates unmodified from the origin ones. #4768 is talking about how to ensure the registry are serving the crates from the original authors.
Proposed Solution
I propose to add an optional gpg signature as long as the checksum which is signed by the registry authority (in current situation, it's crates.io). Just like
apt
and other os package mange system does, it has a signing keyring signs the packages.To maintain the backwards compatibility, the gpg signature should be optional but enforce for crates.io.
This is a valid record for now:
The new record look like this:
Notes
No response
The text was updated successfully, but these errors were encountered: