Artifact Signing and Provenance

As part of our passion for security and compliance we have adopted a number of practices that assist users in verifying the integrity of the software they are running. This is an overview of these initiatives.

Artifact Signing#

Authelia uses a dedicated GPG key to sign distributed artifacts, ensuring authenticity and integrity.

The following information describes the key used to sign the artifacts:

• Key ID: 192085915BD608A458AC58DCE461FA1531286EEA
• Key Fingerprint: 1920 8591 5BD6 08A4 58AC 58DC E461 FA15 3128 6EEA
• Sub Key ID (Encryption): 7DBA42FED0069D5828A44079975E8FFC6876AFBB
• Sub Key ID (Signing): C387CC1B5FFC25E55F75F3E6A228F3BD04CC9652
• Key Owners:
  • Authelia Security <security@authelia.com>
  • Authelia Security <team@authelia.com>

The public key can be obtained from the following locations:

• Keyring File:
  • Official Website: authelia-security.gpg
• Armored ASCII File:
  • Official Website: authelia-security.asc
  • Keybase: authelia/pgp_keys.asc
• Key Servers:
  • keys.openpgp.org
  • keyserver.ubuntu.com

The following artifacts are signed with this key:

• Official Authelia Release Artifacts
• Debian Packages
• APT Repository
• SLSA Provenance

SLSA Provenance#

In addition to artifact signatures, Authelia generates and signs SLSA Provenance for its builds.

Provenance is metadata that describes how an artifact was built. For example, what source code, build steps, and environment were used. This helps users and systems verify that the software was built in a trustworthy and repeatable way.

Authelia’s provenance conforms to SLSA Build Level 3.

The SLSA Provenance covers the release artifacts i.e. those ending with .tar.gz and .deb.

You can verify the SLSA Provenance using the slsa-verifier. Below is an example verifying the FreeBSD amd64 and Linux amd64 (musl) Authelia v4.39.8 release tarballs:

curl -fsSLO https://github.com/authelia/authelia/releases/download/v4.39.8/{authelia-v4.39.8-freebsd-amd64.tar.gz,authelia-v4.39.8-linux-amd64-musl.tar.gz,authelia-v4.39.8-linux-amd64.tar.gz,authelia.intoto.jsonl} && \
slsa-verifier verify-artifact authelia-v4.39.8-freebsd-amd64.tar.gz authelia-v4.39.8-linux-amd64-musl.tar.gz authelia-v4.39.8-linux-amd64.tar.gz --provenance-path authelia.intoto.jsonl --source-uri "github.com/authelia/authelia"

Example output:

Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.1.0" at commit 5d90442e07cc695c61036ac1a539c0b942ebc71d
Verifying artifact authelia-v4.39.8-freebsd-amd64.tar.gz: PASSED

Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.1.0" at commit 5d90442e07cc695c61036ac1a539c0b942ebc71d
Verifying artifact authelia-v4.39.8-linux-amd64-musl.tar.gz: PASSED

Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.1.0" at commit 5d90442e07cc695c61036ac1a539c0b942ebc71d
Verifying artifact authelia-v4.39.8-linux-amd64.tar.gz: PASSED

PASSED: SLSA verification passed