[Security] Consider adding some information about checking Symfony signatures

[javiereguiluz]

Fabien published today a very interesting article: Signing Project Releases. Is this something that we should mention in the official Symfony documentation?

If you agree, here it is my initial proposal:

• Add a very short note on the installation chapter about the possibility of checking Symfony signatures (this note is just a link to the content described bellow).
• Add a new cookbook under the Security section about checking the Symfony signature. This would be a very short version of the original Fabien's article. We won't explain anything in detail. We would just explain how to securely check the signature of Symfony releases whether you use the raw source code from GitHub or the Composer version.

[stof]

I don't think the cookbook should be in the Security section. The security section is a section about the security component. checking release checksums is totally unrelated. workflow may be a better place

[javiereguiluz]

I agree with you about putting this cookbook in the Workflow section. Thanks for your suggestion @stof.

However, I don't think that we should restrict the Security section of the Cookbook to information about the Security component (by the way, we already have a page for that: symfony.com → components → security).

If we write some day an article about Symfony security checklist or How to properly configure Symfony from a security point of view or something like that, we could add it the Security section of the cookbook.

[stof]

@javiereguiluz the distinction between the cookbook and the component section here is that the component section describes the usage of the standalone component. The cookbook describes how to do things with the Security component and SecurityBundle in the context of the fullstack framework (for stuff whcih don't fit in the book itself).

[weaverryan]

I'd really like to make it as easy as possible to do this. So either:

A) Telling them to clone the https://github.com/sensiolabs/checksums repository and then run the check-vendors.sh file

OR

B) Adding a console command (something like the proposed security:check) that downloads that library and runs that file for them.

It's gotta be easy to do - checking signatures is confusing stuff :).

This also will have limited use unless we can allow third-party libraries to sign their releases (they can sign their tags, but they can't do the archive-signing that @fabpot is doing). I just ran this on one of my projects, and 75% of the libraries came back as "unknown package".

[stof]

We should also have a way to make the verification work for Windows users. The checksums repo currently uses a bash script for the task, which does not play well cross-OS.

[fabpot]

The script provided is just a POC. We could rewrite it in a better way to make it compatible with Windows.

[wouterj]

@stof the cookbook doesn't group by component, but by topic. "Security" can contain any article that belongs to the Security topic. Most of them would be about the Security component, but it should not be limited to component stuff only imo.

[javiereguiluz]

I've added a note about digital signatures in the new installation chapter. I think this is enough for now, because duplicating the original Fabien's article into the cookbook doesn't make sense to me. In addition, there are some issues in the Symfony Installer to add digital signature verification in the future.

That's why I'm closing this issue because it's already fixed with all the things mentioned above.

[wouterj]

While I like your work regarding the 500 - 100 challenge and your push to close as much issues as possible, I don't agree with changing our closing policy during this period.

Normally, we close issues once their related PR is merged, not when the PR is created. You should add this issue to the Fixed tickets list of your installing PR and it'll be closed automatically when it's time.

[javiereguiluz]

@wouterj sorry for that (and apologies to @xabbuh and @weaverryan too). You are right that I'm too anxious about closing issues and merging PR faster.

[wouterj]

Btw, do you know the docs are almost there already? :) https://twitter.com/wouterjnl/status/544641258334199808

[javiereguiluz]

@wouterj I beg to differ with your optimism. In my opinion, most of "easy picks" aren't easy at all and they won't be fixed anytime soon (some of them, never).