Skip to content

Commit 449309d

Browse files
Merge pull request #595 from ejarocki-cloudlinux/master
Add GPG section
2 parents a0bb289 + c5c43db commit 449309d

1 file changed

Lines changed: 92 additions & 1 deletion

File tree

  • docs/els-for-libraries/machine-readable-security-data

docs/els-for-libraries/machine-readable-security-data/README.md

Lines changed: 92 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Machine-Readable Security Data (SBOM, VEX)
1+
# Machine-Readable Security Data (SBOM, VEX, GPG)
22

33
TuxCare provides machine-readable security data for ELS for Libraries in the following formats:
44

@@ -36,3 +36,94 @@ Each entry links one CVE to one artifact version and carries a status:
3636
* **resolved** — the CVE has been patched through a TuxCare release.
3737

3838
The feed covers every supported base version, every released `-tuxcare.N` iteration, and transitive dependencies, so the entry count reflects all of these combinations rather than the number of unique CVEs. When checking coverage, filter to the artifact versions you actually use — usually the latest `-tuxcare.N` iteration of your chosen base version. Earlier iterations remain in the feed for historical completeness but aren't relevant once you've adopted a newer release.
39+
40+
## Package Signature Verification (GPG)
41+
42+
Every package TuxCare builds is signed with a detached OpenPGP signature so you can confirm, before installing or updating, that the artifact was produced by TuxCare and has not been altered in transit. The signature is published as a separate `.asc` file alongside the package and is created with TuxCare's signing key (SHA-256 detached signature).
43+
44+
A successful verification proves two things about the artifact:
45+
46+
* **Authenticity** — it was signed by TuxCare's private key.
47+
* **Integrity** — its bytes match exactly what was signed; no tampering or corruption occurred.
48+
49+
A failed verification is an **integrity violation**: the artifact must be treated as untrusted and not installed. Do not work around a failed check by re-downloading over an insecure channel or skipping verification — investigate the source instead.
50+
51+
<p style="font-size: 1.125rem; font-weight: 700; margin-top: 1.75rem; margin-bottom: 0.5rem;">Where signatures are published</p>
52+
53+
Signatures are published per ecosystem to a dedicated Nexus signatures repository, mirroring the path of the package they sign. For JavaScript libraries, signatures live in [els-js-signatures](https://nexus.repo.tuxcare.com/#browse/browse:els-js-signatures) and require the same TuxCare Nexus credentials as the package repositories.
54+
55+
For example, the signature for `@els-js/angular` version `1.8.3-tuxcare.8` is:
56+
57+
```text
58+
https://nexus.repo.tuxcare.com/repository/els-js-signatures/angular/1.8.3-tuxcare.8/angular-1.8.3-tuxcare.8.tgz.asc
59+
```
60+
61+
<p style="font-size: 1.125rem; font-weight: 700; margin-top: 1.75rem; margin-bottom: 0.5rem;">Obtain the TuxCare public key</p>
62+
63+
To verify a signature you first need TuxCare's public signing key. The key is provided through your TuxCare account; if you don't have it, request it from [sales@tuxcare.com](mailto:sales@tuxcare.com) or your TuxCare support contact.
64+
65+
Once you have the key file (for example, `tuxcare-els-public.asc`), import it into your keyring:
66+
67+
```text
68+
gpg --import tuxcare-els-public.asc
69+
```
70+
71+
Confirm it imported by listing the keys in your keyring:
72+
73+
```text
74+
gpg --list-keys
75+
```
76+
77+
:::tip
78+
Import the public key once. It can verify every TuxCare-signed package, so this step is not repeated for each artifact.
79+
:::
80+
81+
<p style="font-size: 1.125rem; font-weight: 700; margin-top: 1.75rem; margin-bottom: 0;">Verify a package</p>
82+
83+
<ELSSteps>
84+
85+
1. **Obtain the exact published tarball**
86+
87+
Verification works on the byte-for-byte artifact that was signed, so download the published `.tgz` rather than repacking it locally. With your TuxCare registry configured (see the [JavaScript libraries](/els-for-libraries/javascript-libraries/) setup), `npm pack` with a version spec downloads the registry tarball as-is:
88+
89+
```text
90+
npm pack @els-js/angular@1.8.3-tuxcare.8
91+
```
92+
93+
This writes `els-js-angular-1.8.3-tuxcare.8.tgz` to the current directory. The filename is normalized by npm, but the contents are identical to the published artifact.
94+
95+
2. **Download the matching signature**
96+
97+
Fetch the `.asc` file for the same version from the signatures repository, authenticating with the TuxCare registry token you received from [sales@tuxcare.com](mailto:sales@tuxcare.com) (the same token used in your `.npmrc`):
98+
99+
```text
100+
curl -H "Authorization: Basic ${TOKEN}" -fsSL \
101+
https://nexus.repo.tuxcare.com/repository/els-js-signatures/angular/1.8.3-tuxcare.8/angular-1.8.3-tuxcare.8.tgz.asc \
102+
-o angular-1.8.3-tuxcare.8.tgz.asc
103+
```
104+
105+
3. **Verify the signature against the tarball**
106+
107+
Pass the signature file first, then the tarball you downloaded:
108+
109+
```text
110+
gpg --verify angular-1.8.3-tuxcare.8.tgz.asc els-js-angular-1.8.3-tuxcare.8.tgz
111+
```
112+
113+
A valid signature produces output similar to:
114+
115+
```text
116+
gpg: Signature made Mon 12 May 2025 10:14:21 UTC
117+
gpg: using RSA key <TUXCARE_KEY_ID>
118+
gpg: Good signature from "TuxCare <...>" [unknown]
119+
```
120+
121+
The `Good signature` line, and a key ID that matches the TuxCare public key you imported, confirm the artifact is authentic and unmodified. (The `[unknown]` trust level only reflects that you have not personally signed TuxCare's key in your web of trust; it does not affect the validity of the signature.)
122+
123+
</ELSSteps>
124+
125+
If `gpg` reports `BAD signature`, or cannot find the matching public key, treat the artifact as an integrity violation: stop the installation and re-obtain the package and signature from TuxCare over a trusted channel.
126+
127+
:::tip
128+
Signatures for other ecosystems follow the same model. If you need the signature repository for a non-JavaScript ecosystem, or the TuxCare public key, contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
129+
:::

0 commit comments

Comments
 (0)