Mercurial > p > roundup > code

annotate doc/security.txt @ 8236:2d0bd038fc5e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
doc: clarify adding ctx argument to check command in schema.py On IRC user was unsure what file was used for the 1.51 - 1.60 upgrade section: Enhancement to check command for Permissions added file name desription and example. Also marked it as optional. Clarified that if or when it becomes required there will be a new required upgrade direction.
author John Rouillard <rouilj@ieee.org>
date Mon, 23 Dec 2024 21:10:54 -0500
parents 4dfc07ee489a
children abf1297e7a94
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 .. meta::
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 :description:
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 Documentation on how to report security issues with
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
4 Roundup. Index to recent security related (CVE) descriptions
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
5 in other Roundup documentation. How to verify distribution
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
6 using gpg.
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
7
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8 .. index::
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
9 single: Reporting Security Issues
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
10 single: CVE announcements
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
11 single: Security Issues, Reporting
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
12 single: Security Issues, Remediation
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
13 single: Security Issues, CVE announcements
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
14
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
15
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
16 =======================
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
17 Roundup Security Issues
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
18 =======================
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
19
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
20 This page documents CVE's fixed starting with version 2.4.0, how to
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
21 report security issues, and verify the signatures for Roundup
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
22 source release tarballs.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
23
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
24 .. contents::
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
25 :local:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
26 :depth: 2
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
27
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
28 CVE Announcements
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
29 -----------------
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
30
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
31 * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
32 vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
33 tracker homes.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
34 * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script tag,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
35 it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
36 directions available for fixing in prior versions.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
37 * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from an
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
38 issue can contain embedded JavaScript which is
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
39 executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
40 available for fixing in prior versions.
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
41
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
42 .. _CVE-2024-39124:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
43 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39124
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
44 .. _CVE-2024-39125:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
45 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39125
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
46 .. _CVE-2024-39126:
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
47 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39126
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
48
7433
1c291a05d90f Add front matter and header "Reporting Security Issues"
John Rouillard <rouilj@ieee.org>
parents: 7430
diff changeset
49
1c291a05d90f Add front matter and header "Reporting Security Issues"
John Rouillard <rouilj@ieee.org>
parents: 7430
diff changeset
50 Reporting Security Issues
1c291a05d90f Add front matter and header "Reporting Security Issues"
John Rouillard <rouilj@ieee.org>
parents: 7430
diff changeset
51 -------------------------
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
52 Security issues with Roundup should be reported by email to:
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
53
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
54 rouilj@users.sourceforge.net (John Rouillard)
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
55
7099
a3223f1966fc update to use ralf's preferred email address.
John Rouillard <rouilj@ieee.org>
parents: 7095
diff changeset
56 rsc@runtux.com (Ralf Schlatterbeck)
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
57
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
58 If these fail, you can find rouilj on irc in channel #roundup at
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
59 irc.oftc.net (see Contact_ for more directions and web
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
60 interface). Methods listed at Contact_ are all public, so they should
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
61 be used to contact somebody with the Roundup project for establishing
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
62 a proper method of reporting the security issue.
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
63
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
64 .. _Contact: https://www.roundup-tracker.org/contact.html
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
65
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
66 Verify Source Tarball
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
67 ---------------------
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
68
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
69 .. index::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
70 single: Distribution, verify with gpg
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
71 single: Signature, verify
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
72
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
73 If you download the source tarball using ``python3 -m pip download
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
74 roundup`` or from https://pypi.org/project/roundup/#files you can
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
75 verify the file using gpg.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
76
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
77 This is the information on the public PGP/GPG key used to sign Roundup
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
78 distributions. It is used to sign the 1.6.0, 2.2.0, and newer
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
79 releases. (Note that the @ sign in email addresses have been replaced
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
80 with the word "at" to reduce spam directed at the mailing list.)::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
81
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
82 Key info: Roundup Team (signing key for roundup releases)
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
83 <roundup-devel at lists.sourceforge.net>
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
84 Expires: 2028-07-17
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
85 Key fingerprint = 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
86
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
87 Releases 1.6.1, 2.0.0 and 2.1.0 were accidentally signed with this key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
88 [1]_::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
89
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
90 Key info: John Rouillard (Roundup Release Key)
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
91 <rouilj+roundup at ieee.org>
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
92 Expires: 2023-07-09
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
93 Key fingerprint = A1E6 364E 9429 E9D8 2B3B 2373 DB05 ADC4 2330 5876
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
94
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
95 .. [1] Use gpg to import this key from the keyserver pgp.mit.edu
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
96 if you need to verify one of these releases. Use the gpg
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
97 pgp.mit.edu keyserver example replacing the key fingerprint
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
98 with the one starting A1E6.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
99
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
100 Importing the Public Key
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
101 ~~~~~~~~~~~~~~~~~~~~~~~~
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
102
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
103 This only has to be added to your keyring once. You can import a key
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
104 from pgp.mit.edu using::
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
105
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
106 gpg --keyserver pgp.mit.edu --receive-keys 411E354B5D1AF26125D621221F2DD0CB756A76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
107
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
108 where the fingerprint (without spaces) is used to identify which key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
109 to receive. You can also extract and import the file
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
110 ``tools/roundup.public.pgp.key`` from the download source tarball
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
111 using::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
112
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
113 tar -xzvf roundup-2.2.0.tar.gz -O \
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
114 roundup-2.2.0/tools/roundup.public.pgp.key > pub.key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
115
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
116 gpg --import pub.key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
117
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
118 Once you have loaded the public key, you need a detached signature for
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
119 your release.
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
120
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
121
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
122 Download Detached Signature and Verify
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
123 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
124
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
125 This needs to be done once for each release you wish to verify.
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
126
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
127 The Python Package Index (PyPI) used to support uploading gpg detached
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
128 signatures. However that is no longer supported and downloading
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
129 existing signatures may not work in the future.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
130
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
131 As a result, the signatures for all Roundup final releases starting
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
132 with 1.6.0 have been moved and are linked below:
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
133
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
134 .. rst-class:: multicol
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
135
8077
4dfc07ee489a docs: add 2.4.0 gpg signature.
John Rouillard <rouilj@ieee.org>
parents: 8062
diff changeset
136 * `2.4.0 <../signatures/roundup-2.4.0.tar.gz.asc>`_
8013
301b0988a351 2.4.0b2 release updates
John Rouillard <rouilj@ieee.org>
parents: 8007
diff changeset
137 * `2.4.0b2 <../signatures/roundup-2.4.0b2.tar.gz.asc>`_
7530
ed2bc951277b Updates for 2.3.0 release.
John Rouillard <rouilj@ieee.org>
parents: 7443
diff changeset
138 * `2.3.0 <../signatures/roundup-2.3.0.tar.gz.asc>`_
7443
51fc06fabcee Changes for roundup release 2.3.0b2
John Rouillard <rouilj@ieee.org>
parents: 7433
diff changeset
139 * `2.3.0b2 <../signatures/roundup-2.3.0b2.tar.gz.asc>`_
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
140 * `2.2.0 <../signatures/roundup-2.2.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
141 * `2.1.0 <../signatures/roundup-2.1.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
142 * `2.0.0 <../signatures/roundup-2.0.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
143 * `1.6.1 <../signatures/roundup-1.6.1.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
144 * `1.6.0 <../signatures/roundup-1.6.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
145
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
146 To use the signature, download the correct versioned link and verify
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
147 it with (note 1.5.7 is a dummy version, use the correct version
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
148 number)::
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
149
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
150 gpg --verify roundup-1.5.7.tar.gz.asc roundup-1.5.7.tar.gz
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
151
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
152 You should see::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
153
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
154 gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
155 gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
156 gpg: Good signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" [unknown]
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
157 gpg: WARNING: This key is not certified with a trusted signature!
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
158 gpg: There is no indication that the signature belongs to the owner.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
159 Primary key fingerprint: 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
160
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
161 which verifies the tarball integrity. The WARNING is expected and the
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
162 date corresponds to the newest renewal of the Roundup key. As long as
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
163 you see the output starting with "Good signature from" followed by the
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
164 Key Info for your key, everything is OK.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
165
7429
32bd5013bf32 Fix missed format changes.
John Rouillard <rouilj@ieee.org>
parents: 7428
diff changeset
166 If something is wrong you will see::
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
167
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
168 gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
169 gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
170 gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>"
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
171
8062
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
172 **do not use** the tarball if the signature is BAD. Email the mailing
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
173 list: roundup-devel at lists.sourceforge.net if you have this happen
28aa76443f58 fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
John Rouillard <rouilj@ieee.org>
parents: 8013
diff changeset
174 to you.
Roundup Issue Tracker: http://roundup-tracker.org/