From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 9EEB96DE105F for ; Sat, 23 Mar 2019 04:21:27 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.149 X-Spam-Level: X-Spam-Status: No, score=-0.149 tagged_above=-999 required=5 tests=[AWL=0.052, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YdGYp__vWlBV for ; Sat, 23 Mar 2019 04:21:26 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id 8CACB6DE1029 for ; Sat, 23 Mar 2019 04:21:26 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1553340084; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=OqZ7hOKeACXN5CzBEkbBJbz+aXXGPeYU+s5RjefMDaU=; b=xgPTPGjgDhGoXRI1sStPmAa9hEce6TnjeWul3IXJ+BRKbdAkVTwurvJw jVI/sWIcqY8QPLdTBZnpstkgUpOsCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1553340083; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=OqZ7hOKeACXN5CzBEkbBJbz+aXXGPeYU+s5RjefMDaU=; b=AkxccKbofN1/Y59T2ZN0WYEf5SRwodnnd3xD22f5chWq3PLdLM5WFNwc 8grgz9LfDOLAiXCiPJNOFwV9lj+H1mby/1XORsxYN3gwLshSZcw3ybb49L WdDTlQakQ989w0kqEdcYIINVOiBWZpj/TPs0oCBMDnFuLMiPhSvMAbeJA8 X+N8gvh9WTV9AfinShYkY2BjtObdzwQQwqD/etkaXHCQhR+I6nlAw9qBka gxRnyNoolaowJzUIKwMJo7U+Pc1aUXpew8SyHU33MpgOq6PcsI1f/raIdr iVBMYfHdnGCIdz2TjM4pAsrsWMcLl7jefEJ6ePI4Csxi7yEmXpcdzw== Received: from fifthhorseman.net (dhcp-8363.meeting.ietf.org [31.133.131.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 8880FF99D for ; Sat, 23 Mar 2019 07:21:23 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id 6B627206B9; Sat, 23 Mar 2019 07:21:18 -0400 (EDT) From: Daniel Kahn Gillmor To: Notmuch Mail Subject: [PATCH] build: distribute signed sha256sums Date: Sat, 23 Mar 2019 12:21:18 +0100 Message-Id: <20190323112118.4022-1-dkg@fifthhorseman.net> X-Mailer: git-send-email 2.20.1 In-Reply-To: <87o96cw8pb.fsf@fifthhorseman.net> References: <87o96cw8pb.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Mar 2019 11:21:27 -0000 Distribute clearsigned sha256sum file instead of a detached signature. This ensures that the thing signed includes the name of the tarball, which defends the verifier by default against a freeze, rollback, or project substitution attack. A verifier can use something like the following (as expressed in bash): set -o pipefail wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc} gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c - See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that thread for discussion. Signed-off-by: Daniel Kahn Gillmor --- Makefile.global | 3 +-- Makefile.local | 13 +++++-------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/Makefile.global b/Makefile.global index 6e17494a..11fd0cee 100644 --- a/Makefile.global +++ b/Makefile.global @@ -43,8 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz -SHA256_FILE=$(TAR_FILE).sha256 -GPG_FILE=$(TAR_FILE).asc +GPG_FILE=$(TAR_FILE).sha256.asc PV_FILE=bindings/python/notmuch/version.py diff --git a/Makefile.local b/Makefile.local index 01ba49cc..48ef40e4 100644 --- a/Makefile.local +++ b/Makefile.local @@ -39,11 +39,8 @@ $(TAR_FILE): gzip -n < $(TAR_FILE).tmp > $(TAR_FILE) @echo "Source is ready for release in $(TAR_FILE)" -$(SHA256_FILE): $(TAR_FILE) - sha256sum $^ > $@ - $(GPG_FILE): $(TAR_FILE) - gpg --armor --detach-sign $^ + sha256sum $(TAR_FILE) | gpg --clear-sign --output $@ - .PHONY: dist dist: $(TAR_FILE) @@ -73,11 +70,11 @@ release: verify-source-tree-and-version pristine-tar commit $(DEB_TAR_FILE) $(UPSTREAM_TAG) git tag -s -m "$(PACKAGE) Debian $(VERSION)-1 upload (same as $(VERSION))" $(DEB_TAG) mkdir -p releases - mv $(TAR_FILE) $(SHA256_FILE) $(GPG_FILE) releases + mv $(TAR_FILE) $(GPG_FILE) releases $(MAKE) VERSION=$(VERSION) release-message > $(PACKAGE)-$(VERSION).announce ifeq ($(REALLY_UPLOAD),yes) git push origin $(VERSION) $(DEB_TAG) release pristine-tar - cd releases && scp $(TAR_FILE) $(SHA256_FILE) $(GPG_FILE) $(RELEASE_HOST):$(RELEASE_DIR) + cd releases && scp $(TAR_FILE) $(GPG_FILE) $(RELEASE_HOST):$(RELEASE_DIR) ssh $(RELEASE_HOST) "rm -f $(RELEASE_DIR)/LATEST-$(PACKAGE)-* ; ln -s $(TAR_FILE) $(RELEASE_DIR)/LATEST-$(TAR_FILE)" endif @echo "Please send a release announcement using $(PACKAGE)-$(VERSION).announce as a template." @@ -117,9 +114,9 @@ release-message: @echo "" @echo "Which can be verified with:" @echo "" - @echo " $(RELEASE_URL)/$(SHA256_FILE)" + @echo " $(RELEASE_URL)/$(GPG_FILE)" @echo -n " " - @cat releases/$(SHA256_FILE) + @cat releases/$(GPG_FILE) @echo "" @echo " $(RELEASE_URL)/$(GPG_FILE)" @echo " (signed by `getent passwd "$$USER" | cut -d: -f 5 | cut -d, -f 1`)" -- 2.20.1