diff --git a/Documentation/Installation/ReleaseIntegrity.rst b/Documentation/Installation/ReleaseIntegrity.rst index 638c298c..b5cb89b6 100644 --- a/Documentation/Installation/ReleaseIntegrity.rst +++ b/Documentation/Installation/ReleaseIntegrity.rst @@ -1,31 +1,33 @@ -.. include:: /Includes.rst.txt +.. include:: /Includes.rst.txt -.. _release_integrity: +.. _release_integrity: ======================= -TYPO3 Release Integrity +TYPO3 release integrity ======================= -TYPO3 Release Packages (the downloadable tarballs and zip files) as well as -Git tags are signed using PGP signatures during the automated release process. -SHA2-256, SHA1 and MD5 hashes are also generated for these files. +TYPO3 release packages (the downloadable tarballs and zip files) as well as +Git tags are signed using :abbr:`PGP (Pretty Good Privacy)` signatures during +the automated release process. SHA2-256, SHA1 and MD5 hashes are also generated +for these files. Release contents ---------------- Every release of TYPO3 is made available with the following files: -.. code-block:: bash - :caption: `TYPO3 CMS 11.5.1 `_ release as an example +.. code-block:: bash + :caption: `TYPO3 CMS 12.4.11 `_ release as an example - typo3_src-11.5.1.tar.gz - typo3_src-11.5.1.tar.gz.sig - typo3_src-11.5.1.zip - typo3_src-11.5.1.zip.sig + typo3_src-12.4.11.tar.gz + typo3_src-12.4.11.tar.gz.sig + typo3_src-12.4.11.zip + typo3_src-12.4.11.zip.sig -* ``*.tar.gz`` and ``*.zip`` files are the actual release packages, containing - the source code of TYPO3 CMS -* ``*.sig`` files contain the corresponding signatures for each release package file +* :file:`*.tar.gz` and :file:`*.zip` files are the actual release packages, + containing the source code of TYPO3 +* :file:`*.sig` files contain the corresponding signatures for each release + package file Checking file hashes -------------------- @@ -35,56 +37,58 @@ correctly on the local system. TYPO3 uses cryptographic hash methods including ` and `SHA2-256`_. The file hashes for each version are published on get.typo3.org and can be found -on the corresponding release page, for example https://get.typo3.org/version/11#package-checksums contains: +on the corresponding release page, for example https://get.typo3.org/version/12#package-checksums contains: -.. code-block:: bash - :caption: TYPO3 v11.5.1 Checksums - :name: Checksums +.. code-block:: text + :caption: TYPO3 v12.4.11 checksums + :name: Checksums - SHA256: - 205d1879e05c75093a2c427f7f7cacb297ca841e491450b3577987e259ff6c5b typo3_src-11.5.1.tar.gz - e07b303405d182f4450fda4a7a7acdbe5080c22123d52f74ef5f2fbf78233a49 typo3_src-11.5.1.zip + SHA256: + a93bb3e8ceae5f00c77f985438dd948d2a33426ccfd7c2e0e5706325c43533a3 typo3_src-12.4.11.tar.gz + 8e0a8eaeed082e273289f3e17318817418c38c295833a12e7f94abb2845830ee typo3_src-12.4.11.zip - SHA1: - aa88171cfb5aa9935b2a989f51e68b6d8eb6e5f0 typo3_src-11.5.1.tar.gz - 3dbe9322015e1d5266d78c6c3ff40846f8a6492f typo3_src-11.5.1.zip + SHA1: + 9fcecf7b0e72074b060516c22115d57dd29fd5b0 typo3_src-12.4.11.tar.gz + 3606bcc9331f2875812ddafd89ccc2ddf8922b63 typo3_src-12.4.11.zip - MD5: - cda2a4494f6673e9251c265c9ef1c345 typo3_src-11.5.1.tar.gz - 252583501d30bb5679305b58ed6e6f94 typo3_src-11.5.1.zip + MD5: + a4fbb1da81411f350081872fe2ff2dac typo3_src-12.4.11.tar.gz + c514ef9b7aad7c476fa4f36703e686fb typo3_src-12.4.11.zip To verify file hashes, the hashes need to be generated locally for the packages downloaded and then compared to the published hashes on get.typo3.org. -To generate the hashes locally, one of the following command-line tools ``md5sum``, ``sha1sum`` or ``shasum`` needs to be used. +To generate the hashes locally, one of the following command line tools +:bash:`md5sum`, :bash:`sha1sum` or :bash:`shasum` needs to be used. -The following commands generate hashes for the `.tar.gz` and `.zip` packages: +The following commands generate hashes for the :file:`.tar.gz` and :file:`.zip` +packages: -.. code-block:: bash - :caption: ~$ +.. code-block:: bash + :caption: ~$ - shasum -a 256 typo3_src-*.tar.gz typo3_src-*.zip - 205d1879e05c75093a2c427f7f7cacb297ca841e491450b3577987e259ff6c5b typo3_src-11.5.1.tar.gz - e07b303405d182f4450fda4a7a7acdbe5080c22123d52f74ef5f2fbf78233a49 typo3_src-11.5.1.zip + shasum -a 256 typo3_src-*.tar.gz typo3_src-*.zip + a93bb3e8ceae5f00c77f985438dd948d2a33426ccfd7c2e0e5706325c43533a3 typo3_src-12.4.11.tar.gz + 8e0a8eaeed082e273289f3e17318817418c38c295833a12e7f94abb2845830ee typo3_src-12.4.11.zip -.. code-block:: bash - :caption: ~$ +.. code-block:: bash + :caption: ~$ - sha1sum -c typo3_src-*.tar.gz typo3_src-*.zip - aa88171cfb5aa9935b2a989f51e68b6d8eb6e5f0 typo3_src-11.5.1.tar.gz - 3dbe9322015e1d5266d78c6c3ff40846f8a6492f typo3_src-11.5.1.zip + sha1sum -c typo3_src-*.tar.gz typo3_src-*.zip + 9fcecf7b0e72074b060516c22115d57dd29fd5b0 typo3_src-12.4.11.tar.gz + 3606bcc9331f2875812ddafd89ccc2ddf8922b63 typo3_src-12.4.11.zip -.. code-block:: bash - :caption: ~$ +.. code-block:: bash + :caption: ~$ - md5sum typo3_src-*.tar.gz typo3_src-*.zip - cda2a4494f6673e9251c265c9ef1c345 typo3_src-11.5.1.tar.gz - 252583501d30bb5679305b58ed6e6f94 typo3_src-11.5.1.zip + md5sum typo3_src-*.tar.gz typo3_src-*.zip + a4fbb1da81411f350081872fe2ff2dac typo3_src-12.4.11.tar.gz + c514ef9b7aad7c476fa4f36703e686fb typo3_src-12.4.11.zip These hashes must match the hashes published on get.typo3.org to ensure package integrity. -.. _MD5: https://en.wikipedia.org/wiki/MD5 -.. _SHA2-256: https://en.wikipedia.org/wiki/SHA-2 +.. _MD5: https://en.wikipedia.org/wiki/MD5 +.. _SHA2-256: https://en.wikipedia.org/wiki/SHA-2 Checking file signatures @@ -95,156 +99,161 @@ To validate these signatures `The GNU Privacy Guard`_ is recommend, however any `OpenPGP`_ compliant tool can also be used. The release packages are using a detached binary signature. This means that -the file ``typo3_src-11.5.1.tar.gz`` has an additional signature file -``typo3_src-11.5.1.tar.gz.sig`` which is the detached signature. +the file :file:`typo3_src-12.4.11.tar.gz` has an additional signature file +:file:`typo3_src-12.4.11.tar.gz.sig` which is the detached signature. -.. code-block:: bash - :caption: ~$ +.. code-block:: bash + :caption: ~$ - gpg --verify typo3_src-11.5.1.tar.gz.sig typo3_src-11.5.1.tar.gz + gpg --verify typo3_src-12.4.11.tar.gz.sig typo3_src-12.4.11.tar.gz -.. code-block:: none +.. code-block:: text - gpg: Signature made Tue Oct 12 12:20:19 2021 UTC - gpg: using RSA key E7ED29A70309A0D1AE34DA733304BBDBFA9613D1 - gpg: Can't check signature: No public key + gpg: Signature made 13 Feb 2024 10:56:11 CET + gpg: using RSA key 2B1F3D58AEEFB6A7EE3241A0C19FAFD699012A5A + gpg: Can't check signature: No public key -The warning means that the public key ``E7ED29A70309A0D1AE34DA733304BBDBFA9613D1`` is not yet available on the +The warning means that the public key ``2B1F3D58AEEFB6A7EE3241A0C19FAFD699012A5A`` is not yet available on the local system and cannot be used to validate the signature. The public key can be obtained by any key server - a popular one is `pgpkeys.mit.edu`_. -.. code-block:: bash - :caption: ~$ +.. code-block:: bash + :caption: ~$ - wget -qO- https://get.typo3.org/KEYS | gpg --import + wget -qO- https://get.typo3.org/KEYS | gpg --import -.. code-block:: none +.. code-block:: text - gpg: requesting key 59BC94C4 from hkp server pgpkeys.mit.edu - gpg: key 59BC94C4: public key "TYPO3 Release Team (RELEASE) " imported - gpg: key FA9613D1: public key "Benjamin Mack " imported - gpg: key 16490937: public key "Oliver Hader " imported - gpg: no ultimately trusted keys found - gpg: Total number processed: 3 - gpg: imported: 3 (RSA: 3) + gpg: requesting key 59BC94C4 from hkp server pgpkeys.mit.edu + gpg: key 59BC94C4: public key "TYPO3 Release Team (RELEASE) " imported + gpg: key FA9613D1: public key "Benjamin Mack " imported + gpg: key 16490937: public key "Oliver Hader " imported + gpg: no ultimately trusted keys found + gpg: Total number processed: 3 + gpg: imported: 3 (RSA: 3) Once the public key has been imported, the previous command on verifying the -signature of the ``typo3_src-11.5.1.tar.gz`` file can be repeated. +signature of the :file:`typo3_src-12.4.11.tar.gz` file can be repeated. -.. code-block:: bash - :caption: ~$ +.. code-block:: bash + :caption: ~$ - gpg --verify typo3_src-11.5.1.tar.gz.sig typo3_src-11.5.1.tar.gz + gpg --verify typo3_src-12.4.11.tar.gz.sig typo3_src-12.4.11.tar.gz -.. code-block:: none +.. code-block:: text - gpg: Signature made Tue Oct 12 12:20:19 2021 UTC - gpg: using RSA key E7ED29A70309A0D1AE34DA733304BBDBFA9613D1 - gpg: Good signature from "Benjamin Mack " [unknown] - gpg: WARNING: This key is not certified with a trusted signature! - gpg: There is no indication that the signature belongs to the owner. - Primary key fingerprint: E7ED 29A7 0309 A0D1 AE34 DA73 3304 BBDB FA96 13D1 + gpg: Signature made Tue Feb 13 10:56:11 2024 CET + gpg: using RSA key 2B1F3D58AEEFB6A7EE3241A0C19FAFD699012A5A + gpg: Good signature from "Oliver Hader " [unknown] + gpg: aka "Oliver Hader " [unknown] + gpg: WARNING: This key is not certified with a trusted signature! + gpg: There is no indication that the signature belongs to the owner. + Primary key fingerprint: 0C4E 4936 2CFA CA0B BFCE 5D16 A36E 4D1F 1649 0937 + Subkey fingerprint: 2B1F 3D58 AEEF B6A7 EE32 41A0 C19F AFD6 9901 2A5A The new warning is expected since everybody could have created the public key and uploaded it to the key server. The important point here is to validate the key -fingerprint ``E7ED 29A7 0309 A0D1 AE34 DA73 3304 BBDB FA96 13D1`` which is in +fingerprint `0C4E 4936 2CFA CA0B BFCE 5D16 A36E 4D1F 1649 0937` which is in this case the correct one for TYPO3 CMS release packages (see below for a list of currently used keys or access the https://get.typo3.org/KEYS file directly). -.. code-block:: bash - :caption: ~$ +.. code-block:: bash + :caption: ~$ - gpg --fingerprint E7ED29A70309A0D1AE34DA733304BBDBFA9613D1 + gpg --fingerprint 0C4E49362CFACA0BBFCE5D16A36E4D1F16490937 -.. code-block:: none +.. code-block:: text - pub rsa4096 2010-06-22 [SC] - E7ED 29A7 0309 A0D1 AE34 DA73 3304 BBDB FA96 13D1 - uid [ unknown] Benjamin Mack - sub rsa4096 2010-06-22 [E] + pub rsa4096 2017-08-10 [SC] [expires: 2024-08-14] + 0C4E 4936 2CFA CA0B BFCE 5D16 A36E 4D1F 1649 0937 + uid [ unknown] Oliver Hader + uid [ unknown] Oliver Hader + sub rsa4096 2017-08-10 [E] [expires: 2024-08-14] + sub rsa4096 2017-08-10 [S] [expires: 2024-08-14] -.. _Pretty Good Privacy: https://en.wikipedia.org/wiki/Pretty_Good_Privacy -.. _The GNU Privacy Guard: http://www.gnupg.org/ -.. _OpenPGP: http://www.openpgp.org/ -.. _pgpkeys.mit.edu: https://pgpkeys.mit.edu/ +.. _Pretty Good Privacy: https://en.wikipedia.org/wiki/Pretty_Good_Privacy +.. _The GNU Privacy Guard: http://www.gnupg.org/ +.. _OpenPGP: http://www.openpgp.org/ +.. _pgpkeys.mit.edu: https://pgpkeys.mit.edu/ Checking tag signature ---------------------- Checking signatures on Git tags works similar to verifying the results using the -``gpg`` tool, but with using the ``git tag --verify`` command directly. +:bash:`gpg` tool, but with using the :bash:`git tag --verify` command directly. -.. code-block:: bash - :caption: ~$ +.. code-block:: bash + :caption: ~$ - git tag --verify v11.5.1 + git tag --verify v12.4.11 -.. code-block:: none +.. code-block:: text - object dcba2a7ce93eaef0ad025dc21fdeb85636d7b4f4 - type commit - tag v11.5.1 - tagger Benni Mack 1634041135 +0200 + object 3f83ff31e72053761f33b975410fa2881174e0e5 + type commit + tag v12.4.11 + tagger Oliver Hader 1707818102 +0100 - Release of TYPO3 11.5.1 - gpg: Signature made Tue Oct 12 14:18:55 2021 CEST - gpg: using RSA key E7ED29A70309A0D1AE34DA733304BBDBFA9613D1 - gpg: Good signature from "Benjamin Mack " + Release of TYPO3 12.4.11 + gpg: Signature made Tue Feb 13 10:55:02 2024 CET + gpg: using RSA key 2B1F3D58AEEFB6A7EE3241A0C19FAFD699012A5A + gpg: Good signature from "Oliver Hader " [unknown] + gpg: aka "Oliver Hader " [unknown] + Primary key fingerprint: 0C4E 4936 2CFA CA0B BFCE 5D16 A36E 4D1F 1649 0937 + Subkey fingerprint: 2B1F 3D58 AEEF B6A7 EE32 41A0 C19F AFD6 9901 2A5A -The ``git show`` command on the name of the tag reveals more details. +The :bash:`git show` command on the name of the tag reveals more details. -.. code-block:: bash - :caption: ~$ +.. code-block:: bash + :caption: ~$ - git show v11.5.1 + git show v12.4.11 -.. code-block:: none +.. code-block:: text - tag v11.5.1 - Tagger: Benni Mack - Date: Tue Oct 12 14:17:52 2021 +0200 + tag v12.4.11 + Tagger: Oliver Hader + Date: Tue Feb 13 10:55:02 2024 +0100 - Release of TYPO3 11.5.1 - -----BEGIN PGP SIGNATURE----- - ... - -----END PGP SIGNATURE----- + Release of TYPO3 12.4.11 + -----BEGIN PGP SIGNATURE----- + ... + -----END PGP SIGNATURE----- Public Keys ----------- -.. note:: - - Starting in June 2017, TYPO3 releases have been cryptographically signed by the - ``TYPO3 Release Team `` with a dedicated public key. - Since July 2017 releases are signed by individual members of the TYPO3 - Release Team directly, namely ``Benni Mack `` and - ``Oliver Hader ``. +.. note:: + Starting in June 2017, TYPO3 releases have been cryptographically signed by the + `TYPO3 Release Team ` with a dedicated public key. + Since July 2017 releases are signed by individual members of the TYPO3 + Release Team directly, namely `Benni Mack ` and + `Oliver Hader `. You can download the used public keys from `get.typo3.org.keys`_ -* TYPO3 Release Team +* TYPO3 Release Team - + 4096 bit RSA key - + Key ID `0x9B9CB92E59BC94C4`_ - + Fingerprint ``7AF5 1AAA DED9 D002 4F89 B06B 9B9C B92E 59BC 94C4`` + * 4096 bit RSA key + * Key ID `0x9B9CB92E59BC94C4`_ + * Fingerprint `7AF5 1AAA DED9 D002 4F89 B06B 9B9C B92E 59BC 94C4` -* Benni Mack +* Benni Mack - + 4096 bit RSA key - + Key ID `0x3304BBDBFA9613D1`_ - + Fingerprint ``E7ED 29A7 0309 A0D1 AE34 DA73 3304 BBDB FA96 13D1`` + * 4096 bit RSA key + * Key ID `0x3304BBDBFA9613D1`_ + * Fingerprint `E7ED 29A7 0309 A0D1 AE34 DA73 3304 BBDB FA96 13D1` -* Oliver Hader +* Oliver Hader - + 4096 bit RSA key - + Key ID `0xC19FAFD699012A5A`_, subkey of `0xA36E4D1F16490937`_ - + Fingerprint ``0C4E 4936 2CFA CA0B BFCE 5D16 A36E 4D1F 1649 0937`` + * 4096 bit RSA key + * Key ID `0xC19FAFD699012A5A`_, subkey of `0xA36E4D1F16490937`_ + * Fingerprint `0C4E 4936 2CFA CA0B BFCE 5D16 A36E 4D1F 1649 0937` -............................... .. _0x9B9CB92E59BC94C4: https://pgpkeys.mit.edu/pks/lookup?search=0x9B9CB92E59BC94C4 .. _0x3304BBDBFA9613D1: https://pgpkeys.mit.edu/pks/lookup?search=0x3304BBDBFA9613D1