From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id uMdLEUfVcGAcbgAAgWs5BA (envelope-from ) for ; Sat, 10 Apr 2021 00:29:27 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 6EsvC0fVcGBZTgAAB5/wlQ (envelope-from ) for ; Fri, 09 Apr 2021 22:29:27 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E4E73A89B for ; Sat, 10 Apr 2021 00:29:25 +0200 (CEST) Received: from localhost ([::1]:35954 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUzcy-0002UA-PG for larch@yhetil.org; Fri, 09 Apr 2021 18:29:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49936) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUzSw-0000Pv-1H for bug-guix@gnu.org; Fri, 09 Apr 2021 18:19:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:39565) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lUzSv-0006Rh-Oe for bug-guix@gnu.org; Fri, 09 Apr 2021 18:19:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lUzSv-0005GJ-KQ for bug-guix@gnu.org; Fri, 09 Apr 2021 18:19:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47634: Accompany .asc and .DIGESTS keys for the ISO Resent-From: bo0od Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 09 Apr 2021 22:19:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47634 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: carlo@zancanaro.id.au, 47634@debbugs.gnu.org, leo@famulari.name X-Debbugs-Original-To: Carlo Zancanaro , bug-guix@gnu.org, Leo Famulari X-Debbugs-Original-Cc: 47634@debbugs.gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161800668820168 (code B ref -1); Fri, 09 Apr 2021 22:19:01 +0000 Received: (at submit) by debbugs.gnu.org; 9 Apr 2021 22:18:08 +0000 Received: from localhost ([127.0.0.1]:51111 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUzS3-0005FD-Vg for submit@debbugs.gnu.org; Fri, 09 Apr 2021 18:18:08 -0400 Received: from lists.gnu.org ([209.51.188.17]:33686) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUzS0-0005Ew-Gl for submit@debbugs.gnu.org; Fri, 09 Apr 2021 18:18:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49700) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUzS0-0000N1-Bp for bug-guix@gnu.org; Fri, 09 Apr 2021 18:18:04 -0400 Received: from mx1.riseup.net ([198.252.153.129]:38578) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUzRx-0005gV-VJ for bug-guix@gnu.org; Fri, 09 Apr 2021 18:18:03 -0400 Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4FHCF14BTtzDxXC; Fri, 9 Apr 2021 15:17:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1618006677; bh=s1EecHYls60DMb2vBXwkOqttRT7+U9XP39kromcOkfM=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=CeNbrrOBchrOuRQG+T6EWWH0GNfjzA0aVKo09FkRysKGjJoG8a3T9eB9Dx1WzsG6m piyQ0lj4ckkn8AP0vGca1StdN7RCfm3T6UazMcsf25x/seod/VYRI9bcJl6F8YqRBN NeO/PJZsTVOcWj6LH7AMEgqNSJVHcdXbVDmE1ZnE= X-Riseup-User-ID: 0596DD0585F00CFE4DE771D1FB41463CB3405FDDB6396A142235EDE715E675EE Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews2.riseup.net (Postfix) with ESMTPSA id 4FHCDy2LPZz1yBT; Fri, 9 Apr 2021 15:17:53 -0700 (PDT) References: <60cab189-2c49-0f7f-8c32-178220540514@riseup.net> <8624B91E-1A4F-4455-880A-E5664C27D5B1@zancanaro.id.au> From: bo0od Message-ID: <5c01ac9b-74db-42d5-db39-7f287b70255d@riseup.net> Date: Fri, 9 Apr 2021 22:17:47 +0000 MIME-Version: 1.0 In-Reply-To: <8624B91E-1A4F-4455-880A-E5664C27D5B1@zancanaro.id.au> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=bo0od@riseup.net; helo=mx1.riseup.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Fri, 09 Apr 2021 18:29:16 -0400 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618007366; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=h79Z9v/FMuB6gQWski9ENgVOxYx4bSi16FK0GxNGpqc=; b=rS16shbIqgNofTSJG6Ml4LPEt9SzvAxn9BKcLhcROuHcZjrkFhNI2s/Ay+wPQsXZMXadI0 hrbeUYpmKj7moeNFnUlDzF1SE19ow0QQtdzlcCdmTL9JzUhPn5aA2Kov856JC+h2A7ORr4 pCBHpRmuGFa3X+iBkwCktOwpCBjVJXdYohdM78XVeVN7oE/Q1CXfFEYlRa40Zz62VS2gkJ bv23bvujC4eDuhkwod7YJ43jIAE2an3SkU8dbqF0lzfRy74RLN1g5VSUxHk+Tcpa4JKSay O37JpYdnXgtzZfUmYD6iD48fd7bAm14DTTv7ideUNtIvthe05xYdwiAi4mMtUg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618007366; a=rsa-sha256; cv=none; b=oW2vCgLAfqw/zfUveZe33GYfB003wQJrdS/gpvxSsfA2ADOvAxVWu3E7PmwVqtYbTZYl8V cjoVGKKoPXP5R3c1QJO/np35K7RNtLUQ6IM2y3/AJUh7OqD5dEEzFe8svvs6fbVUEhVUs/ FNlv5I9pM5R3nXl5pFG9l9sy/M8EKhH95MW7MZX2d8oLo9bGI2p7W52+fFdEIkkhLJTuRs bkUIr/iSuuoJIvlFpv+jwQ7+/U4qqh5b1OrggnC/VPc9eYwOlAkA/AA3rE7oIHpciSR1yP FTL1ZUqSUQ3pb/pQR1WQ7NUDBeciVG+1G/PFASL7wvKfqbv0LFyW+gKToAUocg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=riseup.net header.s=squak header.b=CeNbrrOB; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.34 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=riseup.net header.s=squak header.b=CeNbrrOB; dmarc=fail reason="SPF not aligned (relaxed)" header.from=riseup.net (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: E4E73A89B X-Spam-Score: -1.34 X-Migadu-Scanner: scn0.migadu.com X-TUID: kxgN+LzFUO3K > Which implies that the signatures are sufficient, right? Well this is simple question but the answer is sorta deeper, So i will answer with yes and no: yes signatures are sufficient but signatures with PGP has problems, In the suggestion above i didnt suggest to diverse the signing methods (like for example using signify alongside with gpg) but just adding extra steps better than one (more convenience to say that everything is going smoothly). To understand what im talking about i suggest to read: Why PGP on expiration time: https://www.whonix.org/wiki/OpenPGP#Issues_with_PGP Discussion which might consider deprecate the usage of PGP by debian: https://wiki.debian.org/Teams/Apt/Spec/AptSign Whonix already using signify alongside with PGP: https://www.whonix.org/wiki/Signify Also there are challenges to the concept itself: https://www.whonix.org/wiki/Verifying_Software_Signatures#Conceptual_Challenges_in_Digital_Signatures_Verification So I hope by complete reading that you will come to the conclusion that either provide as much as possible from extra verification (like .asc,DIGESTS,SHA512...etc) or provide alternative verification along side with the traditional one like using signify or using something like signify and thats it. (i think providing both methods like pgp/signify is the best way which suits everybody) > > > On 9 April 2021 3:34:20 am AEST, bo0od wrote: >> This is nicely written by Qubes documentation: >> >> https://www.qubes-os.org/security/verifying-signatures/ > > From that page: > >> If you’ve already verified the signatures on the ISO directly, then verifying digests is not necessary. > > Which implies that the signatures are sufficient, right? > > What is the benefit to providing the key (.asc) and hashes (.DIGESTS)? The page you linked provides rationale for providing and checking digital signatures, but we already provide them. > > Carlo >