Attention
TYPO3 v9 has reached its end-of-life September 30th, 2021 and is not maintained by the community anymore. Looking for a stable version? Use the version switch on the top left.
You can order Extended Long Term Support (ELTS) here: TYPO3 ELTS.
TYPO3 Release Integrity¶
TYPO3 Release Packages (the downloadable tarballs and zip files) as well as Git tags are signed using PGP signatures during the automated release process. Besides that, MD5 and SHA2-256 hashes are being generated for these files.
Release package contents¶
TYPO3 Release packages contain the following files:
typo3_src-7.6.4.tar.gz
typo3_src-7.6.4.tar.gz.sig
typo3_src-7.6.4.zip
typo3_src-7.6.4.zip.sig
RELEASE-7.6.4.txt
*.tar.gz
and*.zip
files are the actual release packages, containing the source code of the TYPO3 CMS Core*.sig
files contain accordant signatures for each release package fileRELEASE.txt
is the signed "delivery note" of the whole release
Checking file hashes¶
File hashes are used to check that a downloaded file was transferred and stored
correctly on the local system. TYPO3 uses the cryptographic hash methods MD5
and SHA2-256 which are created by accordant tools like md5sum
or
shasum
.
The RELEASE.txt
file contains these hash sums that have been created during
the release process.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
================================================================================================
Release of TYPO3 CMS 7.6.4
================================================================================================
MD5 checksums:
400d5f8808c1377034ddc35165ccbb18 typo3_src-7.6.4.tar.gz
d9b4ec13fdc935445f6e85c3e3c7fdc8 typo3_src-7.6.4.zip
SHA256 checksums:
6d65008f4a71036cc6c90648f3c4019422904ff7c7d3c0f84a1695d64b8f615b typo3_src-7.6.4.tar.gz
04fe21245a0881ed3be1219092cc86bcba1d2fb28554e33d425814bfa5bc347e typo3_src-7.6.4.zip
Further details on the signing and hashing process of TYPO3 releases:
https://docs.typo3.org/typo3cms/drafts/github/TYPO3Incubator/InfrastructureGuide/Releases/
================================================================================================
-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----
To check values, either one of the the names tools, md5sum
or shasum
has
to be used to locally create these hash values which you then use to compare
them to the values published with the release.
~$ md5sum typo3_src-*.tar.gz typo3_src-*.zip
400d5f8808c1377034ddc35165ccbb18 typo3_src-7.6.4.tar.gz
d9b4ec13fdc935445f6e85c3e3c7fdc8 typo3_src-7.6.4.zip
~$ shasum -a 256 typo3_src-*.tar.gz typo3_src-*.zip
6d65008f4a71036cc6c90648f3c4019422904ff7c7d3c0f84a1695d64b8f615b typo3_src-7.6.4.tar.gz
04fe21245a0881ed3be1219092cc86bcba1d2fb28554e33d425814bfa5bc347e typo3_src-7.6.4.zip
Checking file signatures¶
TYPO3 uses Pretty Good Privacy to sign release packages and Git release tags. To validate these signatures we suggest to use The GNU Privacy Guard, however any OpenPGP-compliant tool should be working as well.
The release packages are using a detached binary signature. This means that
the file typo3_src-7.6.4.tar.gz
has an additional signature file
typo3_src-7.6.4.tar.gz.sig
which is the detached signature. The
RELEASE.txt
file that has been mentioned in the previous section
is signed as well - however it contains the signature inline in the same file.
gpg --verify RELEASE-7.6.4.txt
Output:
gpg: Signature made Tue 23 Feb 2016 12:18:26 PM CET using RSA key ID 59BC94C4
gpg: Can't check signature: public key not found
The warning means that the public key 59BC94C4
is not yet available on the
local system and cannot be used to validate the signature. The public key can be
obtained by any key server - a popular one is pgpkeys.mit.edu.
wget -qO- https://get.typo3.org/KEYS | gpg --import
Output:
gpg: requesting key 59BC94C4 from hkp server pgpkeys.mit.edu
gpg: key 59BC94C4: public key "TYPO3 Release Team (RELEASE) <typo3cms@typo3.org>" imported
gpg: key FA9613D1: public key "Benjamin Mack <benni@typo3.org>" imported
gpg: key 16490937: public key "Oliver Hader <oliver@typo3.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 3
gpg: imported: 3 (RSA: 3)
Once the public key has been imported, the previous command on verifying the
signature of the RELEASE.txt
file can be repeated.
gpg --verify RELEASE-7.6.4.txt
Output:
gpg: Signature made Tue 23 Feb 2016 12:18:26 PM CET using RSA key ID 59BC94C4
gpg: Good signature from "TYPO3 Release Team (RELEASE) <typo3cms@typo3.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7AF5 1AAA DED9 D002 4F89 B06B 9B9C B92E 59BC 94C4
The new warning is expected since everybody could have created the public key
and uploaded it to the key server. The vital aspect here is to validate the key
fingerprint 7AF5 1AAA DED9 D002 4F89 B06B 9B9C B92E 59BC 94C4
which is in
this case the correct one for TYPO3 CMS release packages.
gpg --fingerprint 59BC94C4
Output:
pub 4096R/59BC94C4 2016-02-21 [expires: 2021-02-22]
Key fingerprint = 7AF5 1AAA DED9 D002 4F89 B06B 9B9C B92E 59BC 94C4
uid TYPO3 Release Team (RELEASE) <typo3cms@typo3.org>
sub 4096R/0752FD79 2016-02-21
Verifying the release packages works almost similar with a detacted signature which has to be downloaded as well.
gpg --verify typo3_src-7.6.4.tar.gz.sig typo3_src-7.6.4.tar.gz
Output:
gpg: Signature made Tue 23 Feb 2016 12:18:24 PM CET using RSA key ID 59BC94C4
gpg: Good signature from "TYPO3 Release Team (RELEASE) <typo3cms@typo3.org>"
Checking tag signature¶
Checking signatures on Git tags works similar to verifying the results using the
gpg
tool, but with using the git tag --verify
command directly.
git tag --verify 7.6.4
Output:
object bd0c7f6ca9cb3093bd647e85035e9f36bf1e9e86
type commit
tag 7.6.4
tagger TYPO3 Release Team <typo3cms@typo3.org> 1456226245 +0100
Tagged version 7.6.4
gpg: Signature made Tue 23 Feb 2016 12:17:25 PM CET using RSA key ID 59BC94C4
gpg: Good signature from "TYPO3 Release Team (RELEASE) <typo3cms@typo3.org>"
The git show
command on the name of the tag reveals more details.
git show 7.6.4
Output:
tag 7.6.4
Tagger: TYPO3 Release Team <typo3cms@typo3.org>
Date: Tue Feb 23 12:17:25 2016 +0100
Tagged version 7.6.4
-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----
commit bd0c7f6ca9cb3093bd647e85035e9f36bf1e9e86
Author: TYPO3 Release Team <typo3cms@typo3.org>
Date: Tue Feb 23 12:16:38 2016 +0100
[RELEASE] Release of TYPO3 7.6.4
Change-Id: Ibc16ad8989398404e277236bed6ae5a0f7f6a29f
Reviewed-on: https://review.typo3.org/46839
Reviewed-by: TYPO3 Release Team <typo3cms@typo3.org>
Tested-by: TYPO3 Release Team <typo3cms@typo3.org>
Public Keys¶
Note
Through June 2017 TYPO3 releases have been cryptographically signed by
TYPO3 Release Team <typo3cms@typo3.org>
with a dedicated public key.
Since July 2017 releases are signed by individual members of the TYPO3
Release Team directly, namely Benni Mack <benni@typo3.org>
and
Oliver Hader <oliver@typo3.org>
.
You can download the used public keys from get.typo3.org.keys
- TYPO3 Release Team <typo3cms@typo3.org>
4096 bit RSA key
Key ID 0x9B9CB92E59BC94C4
Fingerprint
7AF5 1AAA DED9 D002 4F89 B06B 9B9C B92E 59BC 94C4
- Benni Mack <benni@typo3.org>
4096 bit RSA key
Key ID 0x3304BBDBFA9613D1
Fingerprint
E7ED 29A7 0309 A0D1 AE34 DA73 3304 BBDB FA96 13D1
- Oliver Hader <oliver@typo3.org>
4096 bit RSA key
Key ID 0xC19FAFD699012A5A, subkey of 0xA36E4D1F16490937
Fingerprint
0C4E 4936 2CFA CA0B BFCE 5D16 A36E 4D1F 1649 0937