Caddy 2 GPG signature

I am one of the maintainers of an ansible role for installing/configuring caddy. I am updating to use caddy 2 but previously I was using this endpoint to get a GPG signature of the downloaded binary:

https://caddyserver.com/download/linux/amd64/signature

I haven’t found a way to get this signature with caddy 2. Is there a way or is it no longer possible to use GPG to verify this download?

As far as I know, builds from the build server aren’t GPG signed yet.

I strongly recommend you download the builds from Github instead of using https://caddyserver.com/download as that page is meant for manual downloads, not for automation.

For some platforms, you can use the repos where we publish official builds:

Thanks for the reply!

I don’t believe it’s possible to get a binary from github which includes additional packages. I could definitely make a change to use the github binary when no additional packages are requested but if people want things like DNS providers then I think the only ways are to use the website or build manually (which people are unlikely to be very happy with as they would need the build tools on every host where they install caddy).

The current (v1) code follows the same basic process as https://getcaddy.com/ (AFAIK this was provided by the caddy authors) which people have definitely been using for automation so if the https://caddyserver.com/ downloads are no longer to be used for that purpose then it does feel like a change to me.

Aye, people did indeed use the v1 script (and variants thereof) to automate deployments. The spirit of that script was to allow people to install manually from command line by curling to bash (I know, I know, security risk). Literally a CLI interface for the download page.

It was a bit of a conundrum. The money to pay for the build server supporting all those people’s deployments has to come from somewhere.

A funding solution via split licensing was attempted during the life of v1, with the aim of providing paid commercial access to that build server. There were issues, though, and eventually the build licensing went away (the code was still always Apache licensed).

Do you think you could help on that front?

I’m more than happy to help if there’s something useful I can reasonably do in the limited time I have available - I like caddy and find it useful so I don’t mind contributing. What kind of help is desired? Given that there is currently a build server still I assume that is being funded from somewhere. Is it money for that funding which is required?

Is the build server now open source (I believe it was not in the past)? If so I would be more than happy to add support in the Ansible role for using a self-hosted version & recommend this to users who require additional plugins. I could also create a new role for hosting the build server to make this easier for my users.

Whatever I do I think while the build server is available people will try to use it for things like this so either the build server should prevent this or it should simply be accepted that it will happen. I do already try to avoid downloading anything from the server unless it is definitely needed. If I make it inconvenient to do using the role which I help maintain then someone will most likely just create a different role which makes it easy.

This topic was automatically closed after 30 days. New replies are no longer allowed.