|
1 | | -# Machine-Readable Security Data (SBOM, VEX) |
| 1 | +# Machine-Readable Security Data (SBOM, VEX, GPG) |
2 | 2 |
|
3 | 3 | TuxCare provides machine-readable security data for ELS for Libraries in the following formats: |
4 | 4 |
|
@@ -36,3 +36,94 @@ Each entry links one CVE to one artifact version and carries a status: |
36 | 36 | * **resolved** — the CVE has been patched through a TuxCare release. |
37 | 37 |
|
38 | 38 | The feed covers every supported base version, every released `-tuxcare.N` iteration, and transitive dependencies, so the entry count reflects all of these combinations rather than the number of unique CVEs. When checking coverage, filter to the artifact versions you actually use — usually the latest `-tuxcare.N` iteration of your chosen base version. Earlier iterations remain in the feed for historical completeness but aren't relevant once you've adopted a newer release. |
| 39 | + |
| 40 | +## Package Signature Verification (GPG) |
| 41 | + |
| 42 | +Every package TuxCare builds is signed with a detached OpenPGP signature so you can confirm, before installing or updating, that the artifact was produced by TuxCare and has not been altered in transit. The signature is published as a separate `.asc` file alongside the package and is created with TuxCare's signing key (SHA-256 detached signature). |
| 43 | + |
| 44 | +A successful verification proves two things about the artifact: |
| 45 | + |
| 46 | +* **Authenticity** — it was signed by TuxCare's private key. |
| 47 | +* **Integrity** — its bytes match exactly what was signed; no tampering or corruption occurred. |
| 48 | + |
| 49 | +A failed verification is an **integrity violation**: the artifact must be treated as untrusted and not installed. Do not work around a failed check by re-downloading over an insecure channel or skipping verification — investigate the source instead. |
| 50 | + |
| 51 | +<p style="font-size: 1.125rem; font-weight: 700; margin-top: 1.75rem; margin-bottom: 0.5rem;">Where signatures are published</p> |
| 52 | + |
| 53 | +Signatures are published per ecosystem to a dedicated Nexus signatures repository, mirroring the path of the package they sign. For JavaScript libraries, signatures live in [els-js-signatures](https://nexus.repo.tuxcare.com/#browse/browse:els-js-signatures) and require the same TuxCare Nexus credentials as the package repositories. |
| 54 | + |
| 55 | +For example, the signature for `@els-js/angular` version `1.8.3-tuxcare.8` is: |
| 56 | + |
| 57 | +```text |
| 58 | +https://nexus.repo.tuxcare.com/repository/els-js-signatures/angular/1.8.3-tuxcare.8/angular-1.8.3-tuxcare.8.tgz.asc |
| 59 | +``` |
| 60 | + |
| 61 | +<p style="font-size: 1.125rem; font-weight: 700; margin-top: 1.75rem; margin-bottom: 0.5rem;">Obtain the TuxCare public key</p> |
| 62 | + |
| 63 | +To verify a signature you first need TuxCare's public signing key. The key is provided through your TuxCare account; if you don't have it, request it from [sales@tuxcare.com](mailto:sales@tuxcare.com) or your TuxCare support contact. |
| 64 | + |
| 65 | +Once you have the key file (for example, `tuxcare-els-public.asc`), import it into your keyring: |
| 66 | + |
| 67 | +```text |
| 68 | +gpg --import tuxcare-els-public.asc |
| 69 | +``` |
| 70 | + |
| 71 | +Confirm it imported by listing the keys in your keyring: |
| 72 | + |
| 73 | +```text |
| 74 | +gpg --list-keys |
| 75 | +``` |
| 76 | + |
| 77 | +:::tip |
| 78 | +Import the public key once. It can verify every TuxCare-signed package, so this step is not repeated for each artifact. |
| 79 | +::: |
| 80 | + |
| 81 | +<p style="font-size: 1.125rem; font-weight: 700; margin-top: 1.75rem; margin-bottom: 0;">Verify a package</p> |
| 82 | + |
| 83 | +<ELSSteps> |
| 84 | + |
| 85 | +1. **Obtain the exact published tarball** |
| 86 | + |
| 87 | + Verification works on the byte-for-byte artifact that was signed, so download the published `.tgz` rather than repacking it locally. With your TuxCare registry configured (see the [JavaScript libraries](/els-for-libraries/javascript-libraries/) setup), `npm pack` with a version spec downloads the registry tarball as-is: |
| 88 | + |
| 89 | + ```text |
| 90 | + npm pack @els-js/angular@1.8.3-tuxcare.8 |
| 91 | + ``` |
| 92 | + |
| 93 | + This writes `els-js-angular-1.8.3-tuxcare.8.tgz` to the current directory. The filename is normalized by npm, but the contents are identical to the published artifact. |
| 94 | + |
| 95 | +2. **Download the matching signature** |
| 96 | + |
| 97 | + Fetch the `.asc` file for the same version from the signatures repository, authenticating with the TuxCare registry token you received from [sales@tuxcare.com](mailto:sales@tuxcare.com) (the same token used in your `.npmrc`): |
| 98 | + |
| 99 | + ```text |
| 100 | + curl -H "Authorization: Basic ${TOKEN}" -fsSL \ |
| 101 | + https://nexus.repo.tuxcare.com/repository/els-js-signatures/angular/1.8.3-tuxcare.8/angular-1.8.3-tuxcare.8.tgz.asc \ |
| 102 | + -o angular-1.8.3-tuxcare.8.tgz.asc |
| 103 | + ``` |
| 104 | + |
| 105 | +3. **Verify the signature against the tarball** |
| 106 | + |
| 107 | + Pass the signature file first, then the tarball you downloaded: |
| 108 | + |
| 109 | + ```text |
| 110 | + gpg --verify angular-1.8.3-tuxcare.8.tgz.asc els-js-angular-1.8.3-tuxcare.8.tgz |
| 111 | + ``` |
| 112 | + |
| 113 | + A valid signature produces output similar to: |
| 114 | + |
| 115 | + ```text |
| 116 | + gpg: Signature made Mon 12 May 2025 10:14:21 UTC |
| 117 | + gpg: using RSA key <TUXCARE_KEY_ID> |
| 118 | + gpg: Good signature from "TuxCare <...>" [unknown] |
| 119 | + ``` |
| 120 | + |
| 121 | + The `Good signature` line, and a key ID that matches the TuxCare public key you imported, confirm the artifact is authentic and unmodified. (The `[unknown]` trust level only reflects that you have not personally signed TuxCare's key in your web of trust; it does not affect the validity of the signature.) |
| 122 | + |
| 123 | +</ELSSteps> |
| 124 | + |
| 125 | +If `gpg` reports `BAD signature`, or cannot find the matching public key, treat the artifact as an integrity violation: stop the installation and re-obtain the package and signature from TuxCare over a trusted channel. |
| 126 | + |
| 127 | +:::tip |
| 128 | +Signatures for other ecosystems follow the same model. If you need the signature repository for a non-JavaScript ecosystem, or the TuxCare public key, contact [sales@tuxcare.com](mailto:sales@tuxcare.com). |
| 129 | +::: |
0 commit comments