René's URL Explorer Experiment


Title: Release signing keys may be poisoned · Issue #29531 · nodejs/node · GitHub

Open Graph Title: Release signing keys may be poisoned · Issue #29531 · nodejs/node

X Title: Release signing keys may be poisoned · Issue #29531 · nodejs/node

Description: 💡 Initially reported in this comment, but I felt it warranted an issue of its own given the age of the issue on which it is attached. This is not an issue with Node.js itself, but rather with the manner in which the release team's keys a...

Open Graph Description: 💡 Initially reported in this comment, but I felt it warranted an issue of its own given the age of the issue on which it is attached. This is not an issue with Node.js itself, but rather with the m...

X Description: 💡 Initially reported in this comment, but I felt it warranted an issue of its own given the age of the issue on which it is attached. This is not an issue with Node.js itself, but rather with the m...

Opengraph URL: https://github.com/nodejs/node/issues/29531

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Release signing keys may be poisoned","articleBody":"\u003e :bulb: Initially reported in [this comment](https://github.com/nodejs/node/issues/709#issuecomment-530606948), but I felt it warranted an issue of its own given the age of the issue on which it is attached.\r\n\r\nThis is not an issue with Node.js itself, but rather with the manner in which the release team's keys are currently distributed.\r\n\r\n## Impact\r\n\r\nAutomated installations of Node.js binaries which depend upon the documented method of verifying release signatures are no longer functional. No suitable alternatives currently exist for obtaining public keys of the Node.js release team.\r\n\r\nAny tools which continue to rely on the SKS keyserver network may be rendered unusable by certificates poisoned via CVE-2019-13050.\r\n\r\n## Bottom Line\r\n\r\nThe SKS keyserver network is no longer a viable option for distributing release keys.\r\n\r\n## Details\r\n\r\nWith the recent and unmitigated [death](https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it) of the [SKS keyserver network](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#the-consequences) (in [CVE-2019-13050](https://nvd.nist.gov/vuln/detail/CVE-2019-13050)), the [documented method](https://github.com/nodejs/node#release-keys) of obtaining the PGP public keys of the release team is no longer viable, and in fact may have [dire consequences to an OpenPGP installation](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigations). A different method of [distributing release keys](https://keys.openpgp.org/), or even of [signing and verifying](https://jedisct1.github.io/minisign/) the release package itself, is necessary.\r\n\r\n## Proposed Solution\r\n\r\nFor minimal impact, my recommendation would be to place the public keys or authorized releasers within this repo, under a **/keys** directory, in a manner similar to that of [signed RubyGems](https://guides.rubygems.org/security/#building-gems) (except instead of X.509 certificates in a *certs/* directory, we'd be talking about ASCII-armored PGP certificates in a *keys/* directory), and update the README with instructions on how to import those keys into the OpenGPG keychain from the repo instead of from the SKS keyserver network.\r\n\r\nAlternatively, or in addition to the above, publishing these keys to nodejs.org may also provide a second factor to build assurance of the keys' integrity.\r\n\r\n\u003e :bulb: Especially paranoid users may want to seek additional verification from unaffiliated yet equally trusted soruces by fetching and comparing keys from those sources as well.\r\n","author":{"url":"https://github.com/canterberry","@type":"Person","name":"canterberry"},"datePublished":"2019-09-12T00:09:24.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":5},"url":"https://github.com/29531/node/issues/29531"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:3b05fd45-cafb-f7ba-80eb-0430e493e3fd
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-id8B58:2DB422:EE465C:1474D25:6A4DD871
html-safe-nonce5a1cc41dfaa9eaf369b630cf5b19f6c19f8623568396679d60ad9026bad4c04c
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4QjU4OjJEQjQyMjpFRTQ2NUM6MTQ3NEQyNTo2QTRERDg3MSIsInZpc2l0b3JfaWQiOiIyOTQyNzI2MTUyMzY2MjI0NDkiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ==
visitor-hmac6504099b3fa4ae1b5801e4946b91074a5ad1d426323c6a2abee98ae6cbb7aeaf
hovercard-subject-tagissue:492522511
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/29531/issue_layout
twitter:imagehttps://opengraph.githubassets.com/7b08a786125753f6119a827e42792fa4af632f25f8199e0cca5e2a79f739ee8f/nodejs/node/issues/29531
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/7b08a786125753f6119a827e42792fa4af632f25f8199e0cca5e2a79f739ee8f/nodejs/node/issues/29531
og:image:alt💡 Initially reported in this comment, but I felt it warranted an issue of its own given the age of the issue on which it is attached. This is not an issue with Node.js itself, but rather with the m...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernamecanterberry
hostnamegithub.com
expected-hostnamegithub.com
None06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33
turbo-cache-controlno-preview
go-importgithub.com/nodejs/node git https://github.com/nodejs/node.git
octolytics-dimension-user_id9950313
octolytics-dimension-user_loginnodejs
octolytics-dimension-repository_id27193779
octolytics-dimension-repository_nwonodejs/node
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id27193779
octolytics-dimension-repository_network_root_nwonodejs/node
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0
ui-targetcanary-2
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/nodejs/node/issues/29531#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fissues%2F29531
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fissues%2F29531
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=nodejs%2Fnode
Reloadhttps://github.com/nodejs/node/issues/29531
Reloadhttps://github.com/nodejs/node/issues/29531
Reloadhttps://github.com/nodejs/node/issues/29531
Please reload this pagehttps://github.com/nodejs/node/issues/29531
nodejs https://github.com/nodejs
nodehttps://github.com/nodejs/node
Please reload this pagehttps://github.com/nodejs/node/issues/29531
Notifications https://github.com/login?return_to=%2Fnodejs%2Fnode
Fork 36k https://github.com/login?return_to=%2Fnodejs%2Fnode
Star 118k https://github.com/login?return_to=%2Fnodejs%2Fnode
Code https://github.com/nodejs/node
Issues 1.3k https://github.com/nodejs/node/issues
Pull requests 963 https://github.com/nodejs/node/pulls
Actions https://github.com/nodejs/node/actions
Projects https://github.com/nodejs/node/projects
Security and quality 0 https://github.com/nodejs/node/security
Insights https://github.com/nodejs/node/pulse
Code https://github.com/nodejs/node
Issues https://github.com/nodejs/node/issues
Pull requests https://github.com/nodejs/node/pulls
Actions https://github.com/nodejs/node/actions
Projects https://github.com/nodejs/node/projects
Security and quality https://github.com/nodejs/node/security
Insights https://github.com/nodejs/node/pulse
Release signing keys may be poisonedhttps://github.com/nodejs/node/issues/29531#top
releaseIssues and PRs related to Node.js releases.https://github.com/nodejs/node/issues?q=state%3Aopen%20label%3A%22release%22
https://github.com/canterberry
canterberryhttps://github.com/canterberry
on Sep 12, 2019https://github.com/nodejs/node/issues/29531#issue-492522511
this commenthttps://github.com/nodejs/node/issues/709#issuecomment-530606948
CVE-2019-13050https://github.com/advisories/GHSA-ch5h-mpfr-fhxh
deathhttps://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it
SKS keyserver networkhttps://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#the-consequences
CVE-2019-13050https://nvd.nist.gov/vuln/detail/CVE-2019-13050
documented methodhttps://github.com/nodejs/node#release-keys
dire consequences to an OpenPGP installationhttps://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigations
distributing release keyshttps://keys.openpgp.org/
signing and verifyinghttps://jedisct1.github.io/minisign/
signed RubyGemshttps://guides.rubygems.org/security/#building-gems
releaseIssues and PRs related to Node.js releases.https://github.com/nodejs/node/issues?q=state%3Aopen%20label%3A%22release%22
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.