From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Notmuch Mail <notmuch@notmuchmail.org>
Subject: [PATCH] build: distribute signed sha256sums
Date: Sat, 23 Mar 2019 12:21:18 +0100 [thread overview]
Message-ID: <20190323112118.4022-1-dkg@fifthhorseman.net> (raw)
In-Reply-To: <87o96cw8pb.fsf@fifthhorseman.net>
Distribute clearsigned sha256sum file instead of a detached signature.
This ensures that the thing signed includes the name of the tarball,
which defends the verifier by default against a freeze, rollback, or
project substitution attack.
A verifier can use something like the following (as expressed in
bash):
set -o pipefail
wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc}
gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c -
See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that
thread for discussion.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
Makefile.global | 3 +--
Makefile.local | 13 +++++--------
2 files changed, 6 insertions(+), 10 deletions(-)
diff --git a/Makefile.global b/Makefile.global
index 6e17494a..11fd0cee 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,8 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases
TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA256_FILE=$(TAR_FILE).sha256
-GPG_FILE=$(TAR_FILE).asc
+GPG_FILE=$(TAR_FILE).sha256.asc
PV_FILE=bindings/python/notmuch/version.py
diff --git a/Makefile.local b/Makefile.local
index 01ba49cc..48ef40e4 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -39,11 +39,8 @@ $(TAR_FILE):
gzip -n < $(TAR_FILE).tmp > $(TAR_FILE)
@echo "Source is ready for release in $(TAR_FILE)"
-$(SHA256_FILE): $(TAR_FILE)
- sha256sum $^ > $@
-
$(GPG_FILE): $(TAR_FILE)
- gpg --armor --detach-sign $^
+ sha256sum $(TAR_FILE) | gpg --clear-sign --output $@ -
.PHONY: dist
dist: $(TAR_FILE)
@@ -73,11 +70,11 @@ release: verify-source-tree-and-version
pristine-tar commit $(DEB_TAR_FILE) $(UPSTREAM_TAG)
git tag -s -m "$(PACKAGE) Debian $(VERSION)-1 upload (same as $(VERSION))" $(DEB_TAG)
mkdir -p releases
- mv $(TAR_FILE) $(SHA256_FILE) $(GPG_FILE) releases
+ mv $(TAR_FILE) $(GPG_FILE) releases
$(MAKE) VERSION=$(VERSION) release-message > $(PACKAGE)-$(VERSION).announce
ifeq ($(REALLY_UPLOAD),yes)
git push origin $(VERSION) $(DEB_TAG) release pristine-tar
- cd releases && scp $(TAR_FILE) $(SHA256_FILE) $(GPG_FILE) $(RELEASE_HOST):$(RELEASE_DIR)
+ cd releases && scp $(TAR_FILE) $(GPG_FILE) $(RELEASE_HOST):$(RELEASE_DIR)
ssh $(RELEASE_HOST) "rm -f $(RELEASE_DIR)/LATEST-$(PACKAGE)-* ; ln -s $(TAR_FILE) $(RELEASE_DIR)/LATEST-$(TAR_FILE)"
endif
@echo "Please send a release announcement using $(PACKAGE)-$(VERSION).announce as a template."
@@ -117,9 +114,9 @@ release-message:
@echo ""
@echo "Which can be verified with:"
@echo ""
- @echo " $(RELEASE_URL)/$(SHA256_FILE)"
+ @echo " $(RELEASE_URL)/$(GPG_FILE)"
@echo -n " "
- @cat releases/$(SHA256_FILE)
+ @cat releases/$(GPG_FILE)
@echo ""
@echo " $(RELEASE_URL)/$(GPG_FILE)"
@echo " (signed by `getent passwd "$$USER" | cut -d: -f 5 | cut -d, -f 1`)"
--
2.20.1
next prev parent reply other threads:[~2019-03-23 11:21 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-06 10:48 Release signatures Adam Majer
2019-02-10 13:51 ` David Bremner
2019-02-11 23:37 ` Carl Worth
2019-02-13 2:17 ` [PATCH] build: sign tarball instead of sha256sum David Bremner
2019-03-12 10:55 ` David Bremner
2019-03-14 22:51 ` Daniel Kahn Gillmor
2019-03-15 1:49 ` David Bremner
2019-03-15 8:48 ` Daniel Kahn Gillmor
2019-03-15 1:53 ` Adam Majer
2019-03-15 8:58 ` Daniel Kahn Gillmor
2019-03-15 10:49 ` David Bremner
2019-03-15 13:47 ` Daniel Kahn Gillmor
2019-03-15 13:56 ` David Bremner
2019-03-15 14:50 ` Daniel Kahn Gillmor
2019-03-15 14:30 ` Adam Majer
2019-03-15 16:48 ` Daniel Kahn Gillmor
2019-03-23 11:21 ` Daniel Kahn Gillmor [this message]
2019-03-23 12:35 ` [PATCH v2 1/3] build: ensure that SHA256_FILE is built Daniel Kahn Gillmor
2019-03-23 12:35 ` [PATCH v2 2/3] build: distribute signed sha256sums Daniel Kahn Gillmor
2019-03-23 12:35 ` [PATCH v2 3/3] build: Rename GPG_FILE to DETACHED_SIG_FILE Daniel Kahn Gillmor
2019-03-27 21:02 ` [PATCH v2 1/3] build: ensure that SHA256_FILE is built David Bremner
2019-03-15 11:35 ` [PATCH] build: sign tarball instead of sha256sum Adam Majer
2019-03-15 13:37 ` Daniel Kahn Gillmor
2019-03-15 14:18 ` Adam Majer
2019-03-15 13:50 ` David Bremner
2019-03-15 15:35 ` Daniel Kahn Gillmor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190323112118.4022-1-dkg@fifthhorseman.net \
--to=dkg@fifthhorseman.net \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).