Description
Bazel release candidates and releases are accompanied by PGP signatures:
$ wget -q 'https://releases.bazel.build/0.20.0/rc1/bazel-0.20.0rc1-darwin-x86_64'
$ wget -q 'https://releases.bazel.build/0.20.0/rc1/bazel-0.20.0rc1-darwin-x86_64.sig'
$ gpg --verify ./bazel-0.20.0rc1-darwin-x86_64.sig
gpg: assuming signed data in './bazel-0.20.0rc1-darwin-x86_64'
gpg: Signature made Mon 05 Nov 2018 06:16:24 AM PST
gpg: using RSA key 71A1D0EFCFEB6281FD0437C93D5919B448457EE0
gpg: Good signature from "Bazel Developer (Bazel APT repository key) <[email protected]>" [full]
$ wget -q 'https://releases.bazel.build/0.21.0/release/bazel-0.21.0-linux-x86_64'
$ wget -q 'https://releases.bazel.build/0.21.0/release/bazel-0.21.0-linux-x86_64.sig'
$ gpg --verify ./bazel-0.21.0-linux-x86_64.sig
gpg: assuming signed data in './bazel-0.21.0-linux-x86_64'
gpg: Signature made Wed 19 Dec 2018 05:58:23 AM PST
gpg: using RSA key 71A1D0EFCFEB6281FD0437C93D5919B448457EE0
gpg: Good signature from "Bazel Developer (Bazel APT repository key) <[email protected]>" [full]
Would you be interested in a pull request to make Bazelisk additionally
download and verify these signatures? (Signature verification is fast:
about a second on my machine.)
The Bazel team public key would be hard-coded into the repository, and
we can use
$ gpg --no-default-keyring --keyring ./bazel-release.pub.gpg \
> --trust-model always --verify "${SIGNATURE}" "${BINARY}"
to verify the binary. (This requires the bazel-release.pub.gpg key to
be dearmored, but that’s easy to do.)