Sign deployments with AppVeyor key

Someone's Avatar


01 Mar, 2016 06:14 PM

I suggest AppVeyor to allow signing deployments with AppVeyor GPG key, so users can verify that the release was actually built by AppVeyor. For example, say you download a binary program from GitHub and Bintray. You would be able to download the .sig files and check the releases against the public AppVeyor key.

The private key of course would not be available in the build machines, this would be an internal feature when publising the releases. This feature would allow for more trusty releases distribution: instead of trusting binaries from "random people", you trust binaries from automated AppVeyor builds instead.

  1. Support Staff 1 Posted by Feodor Fitsner on 01 Mar, 2016 06:44 PM

    Feodor Fitsner's Avatar

    How does that work? Can you give more technical details/examples?

  2. 2 Posted by Someone on 10 Mar, 2016 03:14 AM

    Someone's Avatar

    I'm not sure about the internal implementation of AppVeyor, but basically you would create GPG private/public key pairs, and sign every artifact with such private key, thus generating a .sig/asc file that can be used to verify the file with the public key.

    This way, by trusting the public key from AppVeyor one can confirm that the artifact was in fact generated by AppVeyor. Well, technically one may download an external binary and add it as an artifact, so it needs to be figured out how to certify that an artifact was "actually built".

    I don't know in what language / scripting AppVeyor is implemented but you could try using GPG4Win for generating the keys and signing the artifacts, or even the command-line GPG from MSYS2, or maybe some native library for your language.

    One similar idea is using checksums associated with build logs. By reading a build log associated with a commit one could manually verify that the artifact was "actually built". Then its checksum (MD5, SHA-1, SHA-256 etc) may be printed in build log. This way, when someone downloads a file from BinTray or whatever, they can run a checksum program on the file and verify if the output is the same as the associated build log. I think this works well but the GPG signing would be more straightforward.

  3. 3 Posted by Someone on 19 Mar, 2016 04:31 PM

    Someone's Avatar

    This would be useful for example for building more reliable package repositories for MSYS2. One may desire distributing their own packages, but currently they need to be built by such random individual, and people need to trust their binaries.

    By using AppVeyor to build the packages and having it automatically upload a .sig file for each artifact, then once MSYS2 pacman trusts the AppVeyor public key, we would be able to install packages from and have pacman automatically confirming that the package was uploaded (not exactly built) by AppVeyor.

    About how many keys would be created, actually I think each project needs its own GPG key pair, so we do not trust all existing projects at once with a single public key. The GPG key would be created together with the project.

    Since uploading confirmation is not exactly a build confirmation, once anyone trusts a public key from some AppVeyor project, this would mean they are trusting the associated code repository, thus trusting that such repository will indeed build the artifact instead of downloading external binaries etc.

    In other words, instead of trusting that "AppVeyor built the artifact" we would trust that "AppVeyor uploaded the artifact and that the associated code repository indeed did build the artifact", whatever concept of "build' is acceptable for that context. However this seems reasonably satisfactory to me.

  4. 4 Posted by klkirkfield2 on 26 Jan, 2017 10:15 PM

    klkirkfield2's Avatar

    I'd like to see this feature too. For GitHub deployment, you can access the GPG keys stored on the GitHub account using the auth_token. Currently AV uses lightweight tags when deploying releases to GitHub. This will need to be changed to use annotated tags so that they can be GPG signed. There should also be a way for AV to manage the GPG keys if the user doesn't want GitHub to manage the keys. This could be useful in distinguishing between the user's GPG signature and AV's GPG signature.

  5. Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 02:14 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac