1

I have just gone to https://couchdb.apache.org/ to get the latest CouchDB binary (upgrading from 2.2).

However, the download link redirects me to an organisation called Neighbourhoodie - a CouchDB services & consultancy firm (which was unexpected, but understandable as I know the installations may be served from mirrors).

When I ran the installer I got a warning from Windows that the binary is from an 'Unknown Publisher'.

I can't find a contact point on the CouchDB site to ask a question like this.

The unexpected redirect coupled with the Unknown Publisher have made me nervous - how can I know that it's safe to proceed with the upgrade?

Bob Gear
  • 174
  • 1
  • 3
  • 13

1 Answers1

0

You can verify that the couchdb contributors that signs public releases believed this binary is correct for windows users by comparing the site, sha1 and md5 sums they gave in an issue. Neither a sha1 or md5 alone is secure, but I think it would be exceedingly hard to find an attack that simultaneously works for both.

Also, if you download the gpg signature, binary and the https://downloads.apache.org/couchdb/KEYS you can verify that this signer is the same signer using the same key recognized on the apache download site. Using their trust is similar to tofu, you trust the channel with https and it trusts this key, so now you trust the key on another channel.

On linux/mac this looks like:

(verify you obtain keys over ssl from apache, then:)
$ gpg --import KEYS.txt
  ...
  gpg: key CDE711289384AE37: "**** (CODE SIGNING KEY) <****@apache.org>"

(download a sig and file from official downloads.apache.org site and verify + add your "tofu" trust in this key)
$ gpg --trusted-key CDE711289384AE37 --verify apache-couchdb-3.1.1.tar.gz.asc

(your gpg now trusts this key for new binaries)
$ gpg --verify apache-couchdb-3.1.0.msi.asc

(If the official KEYS file changes you would want to delete this trust and do the same process again:)
$ gpg --delete-key CDE711289384AE37

and windows gpg should look similar, maybe with / in place of --, etc.

lossleader
  • 13,182
  • 2
  • 31
  • 45
  • Thanks @lossleader for a clear description of what to do (clearer than what I later found on the Apache site). The Hashes match and GPG says the key is good, which alleviates my doubts a bit but GPG reports that 'This key is not certified with a trusted signature. There is no indication that the signature belongs tot the owner'. Any thoughts? – Bob Gear Sep 26 '20 at 13:10
  • 1
    @BobGear this is because its not possible to establish a full web-of-trust as gpg prefers. I've updated the answer to explain how you are establishing tofu trust in the key from the official channel and making it explicit to verify future signatures. – lossleader Sep 27 '20 at 12:34
  • For other Windows users who land here, the gnupg site suggests GPG4Win (https://gpg4win.org/download.html). The instructions laid out above by @lossleader work in the command line as-is (I found the command line easier to work with than the gui). I wonder why Apache don't sign the .msi so that Windows will accept it without complaining. – Bob Gear Sep 27 '20 at 13:49