Skip to content

Added security.txt pubkey, signed security.txt #794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added security.txt pubkey, signed security.txt #794

wants to merge 1 commit into from

Conversation

codyro
Copy link
Member

@codyro codyro commented Apr 4, 2025
edited
Loading

I have not uploaded the key to public servers until in prod.

To test:

  1. Import AlmaLinux Security Contact key
[root@e05537cb8628 ~]# curl -s https://raw.githubusercontent.com/codyro/almalinux.org/797dd431762499e21bbafc97284e2b557fe044c9/static/files/security-pgp-key.txt | gpg --import
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key FD9921C3D899AD09: public key "AlmaLinux Security Team <[email protected]>" imported                                                                                         gpg: Total number processed: 1
gpg:               imported: 1

1a. optionally trust the PGP key so it doesn't spit out warnings

  1. Download security.txt, verify signature
[root@e05537cb8628 ~]# wget https://raw.githubusercontent.com/AlmaLinux/almalinux.org/797dd431762499e21bbafc97284e2b557fe044c9/static/.well-known/security.txt
<snip>
security.txt            100%[============================>]   1.95K  --.-KB/s    in 0s

2025-04-04 19:51:01 (48.3 MB/s) - ‘security.txt’ saved [1992/1992]

[root@e05537cb8628 ~]# gpg --verify security.txt
gpg: Signature made Fri Apr  4 19:25:50 2025 UTC
gpg:                using RSA key 33379348174F944E37EAECA011AB711FA9B46612
gpg:                issuer "[email protected]"
gpg: Good signature from "AlmaLinux Security Team <[email protected]>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A286 E019 4EA3 8120 662B  B868 FD99 21C3 D899 AD09
     Subkey fingerprint: 3337 9348 174F 944E 37EA  ECA0 11AB 711F A9B4 6612

@codyro codyro added bug Something isn't working documentation Improvements or additions to documentation labels Apr 4, 2025
@codyro codyro requested a review from jonathanspw April 4, 2025 19:53
@codyro codyro self-assigned this Apr 4, 2025
@trag-bot Trag bot
Copy link

trag-bot bot commented Apr 4, 2025

Pull request summary

  • Added a PGP signed message to the security.txt file to enhance the security reporting process for the AlmaLinux OS project.
  • Included a PGP signature block in the security.txt file to verify the authenticity of the security reporting information.
  • Introduced a new file security-pgp-key.txt containing the PGP public key for users to encrypt their vulnerability reports securely.
  • Ensured that the new files comply with the standard format for security vulnerability reporting, facilitating better communication with the security team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonathanspw jonathanspw Awaiting requested review from jonathanspw

At least 1 approving review is required to merge this pull request.

Assignees

@codyro codyro

Labels
bug Something isn't working documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@codyro