From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id WCq4FT4NcWD+5gAAgWs5BA (envelope-from ) for ; Sat, 10 Apr 2021 04:28:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 4MSBED4NcWDUKgAA1q6Kng (envelope-from ) for ; Sat, 10 Apr 2021 02:28:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 568971A3E9 for ; Sat, 10 Apr 2021 04:28:13 +0200 (CEST) Received: from localhost ([::1]:37238 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lV3M4-0007Ej-1P for larch@yhetil.org; Fri, 09 Apr 2021 22:28:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40058) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lV3Lv-0007Ea-8m for bug-guix@gnu.org; Fri, 09 Apr 2021 22:28:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:39676) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lV3Lt-0007hC-Sh for bug-guix@gnu.org; Fri, 09 Apr 2021 22:28:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lV3Lt-0004wQ-O5 for bug-guix@gnu.org; Fri, 09 Apr 2021 22:28:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47634: Accompany .asc and .DIGESTS keys for the ISO Resent-From: Carlo Zancanaro Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 10 Apr 2021 02:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47634 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: bo0od Received: via spool by 47634-submit@debbugs.gnu.org id=B47634.161802165818962 (code B ref 47634); Sat, 10 Apr 2021 02:28:01 +0000 Received: (at 47634) by debbugs.gnu.org; 10 Apr 2021 02:27:38 +0000 Received: from localhost ([127.0.0.1]:51222 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lV3LW-0004vm-59 for submit@debbugs.gnu.org; Fri, 09 Apr 2021 22:27:38 -0400 Received: from zancanaro.com.au ([45.76.117.151]:42592) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lV3LU-0004vd-CT for 47634@debbugs.gnu.org; Fri, 09 Apr 2021 22:27:37 -0400 Received: by zancanaro.com.au (Postfix, from userid 116) id 5714633F68; Sat, 10 Apr 2021 02:27:34 +0000 (UTC) Received: from jolteon (n175-37-174-100.bla2.nsw.optusnet.com.au [175.37.174.100]) by zancanaro.com.au (Postfix) with ESMTPSA id 7A69A33F36; Sat, 10 Apr 2021 02:27:33 +0000 (UTC) References: <60cab189-2c49-0f7f-8c32-178220540514@riseup.net> <8624B91E-1A4F-4455-880A-E5664C27D5B1@zancanaro.id.au> <5c01ac9b-74db-42d5-db39-7f287b70255d@riseup.net> User-agent: mu4e 1.4.15; emacs 27.2 From: Carlo Zancanaro In-reply-to: <5c01ac9b-74db-42d5-db39-7f287b70255d@riseup.net> Date: Sat, 10 Apr 2021 12:27:32 +1000 Message-ID: <87y2dqlvqj.fsf@zancanaro.id.au> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47634@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618021693; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=PcpLxN0JR3MRVFKfPs9m8Iuv7QiQfddb2aq6yEEyCWg=; b=el3HuBAeHq1EA8y/xuttpDYqilXT090UN3XivmEkmjw8Ktu6mUjTM0R+1SFHHQK1PMkQ8H C2sHeF3z60gzli678e/Kdvbpetf4xPkiBuV5gZsLen+7Bu/2UXmivv9M+8rT+sMnZB8HZV NQROPAd40VxCoaKsEUXFfIAKlygYST3dmGjgU4jJT9m9VL8WSPiOu9LwC9NZenv1pz7L2J VXKD6LZjbnXOj0DJyiBBW9nZP7XeIB9qPE+cyR72HkdtNa7BZk8OhMEl2dvm2rkpvLX1RX 9H9BYwWwGOKROOb75NDiZNmuUTMfFRjRe0hKyq//PMKNzrEW3UYUwrM5OUcHMA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618021693; a=rsa-sha256; cv=none; b=jaO4ZnQcUh9o4u4+f3IbwHCPkgIrZag+09zFIBow5u5kavQXFCqvCGc3HricCX9UKkxFhY FzIMvMqpTw1ZnIoW22E5BAPpyZbxHQfOK4w0wJl+hZswges2tW5A9O5jvcP/sjnhdcud80 FSBsJIHRleGBo3weeA0doa1p9VUSiqbLxqA4Cvowd6Cz2IJU9UCnWQoH2tFOSPD1zN1hLC +Ckz+ZugDGwsqDshcrvMEtSC58cg8xLyY01NYYuogjOnV7NRdo1zPEu+uV2KNUXGuYeHR1 d2kW42tAwgWmP0WOH73U0gaDaco4e2CrNWuzKPmb4kUCf+qsSkhq91c2N0BikA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -0.94 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 568971A3E9 X-Spam-Score: -0.94 X-Migadu-Scanner: scn0.migadu.com X-TUID: 2eAWfgNQXMSK Hi bo0od! On Sat, Apr 10 2021, bo0od wrote: >> Which implies that the signatures are sufficient, right? > > Well this is simple question but the answer is sorta deeper, So > i will answer with yes and no: > > yes signatures are sufficient but signatures with PGP has > problems... I grant that this might be true, but whether or not to use PGP is a different issue to whether cryptographic signatures are sufficient to verify downloads. If we compare the projects you've shown as examples: - Qubes provides hashes, PGP signatures, and a release signing key - Whonix provides hashes, PGP signatures, and a release signing key For verification purposes the hashes only provide transport integrity - they don't provide any mechanism to verify where the content came from, and because they're stored next to the images it's likely that any attacker who could manipulate the images could also manipulate the hashes. The signature provides a better guarantee that the image contains what the project intends to distribute (i.e. that nobody has compromised image itself). In this instance, the hash provides no significant additional value over the signature. If we look at the Tor project (who, I hope you will agree, care about security), their download page[1] only provides links to PGP signatures as their sole method of verification. I'm not convinced there's much value to add anything beyond the signatures, and I think there is some cost. Having multiple verification options makes the download page more confusing (by providing more choices to do the same thing), and may make it less likely that people do any verification. I think there may be a larger conversation to have around using something like Signify rather than PGP/GPG, but I'm not familiar enough with Signify to have an opinion about that at the moment. Carlo [1]: https://www.torproject.org/download/