I mentioned this yesterday, but I really think that gpg-signing both the sh.rustup.rs script and the rustup binary is a must for a 1.0 release.
Can this be done? (Including making sh.rustup.rs check the signature of the binary, and keeping the signature of the sh script on the site somewhere)
Well, no, gpg signing cannot be done for rustup 1.0. It is literally impossible since 1.0 is released.
The reason I donāt consider signing a blocker for rustup 1.0 is because the current installers today are not properly verified either, so it is not a degradation in service (although rustup.sh will do verification, it does not guarantee it). For those who were manually verifying the signatures of the old installers, that option remains available.
I do believe that having proper end to end signing of all Rust artifacts is important, and I wish it was done by now, but it is not simply a matter of applying gpg to the problem. There are some details about the plan in this thread.
Edit: from re-reading your message @Manish I gather that you would like me to just retroactively publish sigs for these specific files, not generally solve signing for Rust installation. Thatās technically possible, but I donāt think it achieves much security-wise. Since rustup itself downloads and installs executables, without verifying those signatures thereās still a bunch of unverified code running on your system. Iām not inclined to make such changes to the release process on the spot.
I gather that you would like me to just retroactively publish sigs for these specific files,
yeah, that was the case. I do want a long term solution but I am not fond of a non-beta project that uses curl | sh to not have additional crypto (other than https) backing it.
I see your concerns.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.