From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dkg@fifthhorseman.net>
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id C12D86DE105F
 for <notmuch@notmuchmail.org>; Sat, 23 Mar 2019 05:35:54 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at cworth.org
X-Spam-Flag: NO
X-Spam-Score: -0.163
X-Spam-Level: 
X-Spam-Status: No, score=-0.163 tagged_above=-999 required=5 tests=[AWL=0.038, 
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001]
 autolearn=disabled
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id UAJEPVsNQ44a for <notmuch@notmuchmail.org>;
 Sat, 23 Mar 2019 05:35:53 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118])
 by arlo.cworth.org (Postfix) with ESMTPS id B50166DE0F60
 for <notmuch@notmuchmail.org>; Sat, 23 Mar 2019 05:35:53 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; 
 d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; 
 s=2019; t=1553344550; h=from : to : subject : date : 
 message-id : in-reply-to : references : mime-version : 
 content-transfer-encoding : from; 
 bh=HhQ+NnJpX7Wmq2dF0TPktCrDDzFZjSo29F0ShMrTsxc=; 
 b=EA2ytfKP5Dec8ENbzfu/Upn9qGSufeqe5iulGpeC5cZCkWXhj3heO270
 BI8pl1UOhOjw7SkV4ShP2dpZ2cKYCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; 
 i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1553344550; 
 h=from : to : subject : date : message-id : in-reply-to : 
 references : mime-version : content-transfer-encoding : 
 from; bh=HhQ+NnJpX7Wmq2dF0TPktCrDDzFZjSo29F0ShMrTsxc=; 
 b=MqMRv6WG0ot3Cfuc8uma6tHt5zqmuDOnCr2Il7jdMjJ3xx+URuHHdym8
 RqyGjyHVEsdMbveRuXHZI6YebH4MBCAXypUixR/DMB8m2ySkq+rXs3aA9J
 xWxKF4GPi53g2MPxnwY9N6bcFHiu3HkJUqPoSyTtpf27EM67XidDf6sYaK
 2nAzhHAMSsNHYbiiV4/bEJWt9gAcdGkTATTy+zb7fSgLpvFlUoBtccQBlC
 1BeujHiEMVn9cu0u6BaHLkozu6UQ/aXw5nGY/naPcSSDYPiMnvNmM4zi/5
 jN7nYo+5942hm9bVXfUDoD9W2Qci0CCdA/z6pFh7xqDGwxsIIQ/KHw==
Received: from fifthhorseman.net (dhcp-8363.meeting.ietf.org [31.133.131.99])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested)
 by che.mayfirst.org (Postfix) with ESMTPSA id 4A45EF99D
 for <notmuch@notmuchmail.org>; Sat, 23 Mar 2019 08:35:50 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id 25C282045B; Sat, 23 Mar 2019 08:35:44 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Notmuch Mail <notmuch@notmuchmail.org>
Subject: [PATCH v2 2/3] build: distribute signed sha256sums
Date: Sat, 23 Mar 2019 13:35:43 +0100
Message-Id: <20190323123544.6264-2-dkg@fifthhorseman.net>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190323123544.6264-1-dkg@fifthhorseman.net>
References: <20190323112118.4022-1-dkg@fifthhorseman.net>
 <20190323123544.6264-1-dkg@fifthhorseman.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2019 12:35:54 -0000

Distribute clearsigned sha256sum file in addition to the detached
signature.

Verifies that use the sha256sum ensure that the thing signed includes
the name of the tarball. This defends the verifier by default against
a freeze, rollback, or project substitution attack.

A verifier can use something like the following (as expressed in
bash):

      set -o pipefail
      wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc}
      gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c -

See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that
thread for discussion.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 Makefile.global | 2 +-
 Makefile.local  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile.global b/Makefile.global
index 6e17494a..27c82433 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,7 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases
 TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
 ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
 DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA256_FILE=$(TAR_FILE).sha256
+SHA256_FILE=$(TAR_FILE).sha256.asc
 GPG_FILE=$(TAR_FILE).asc
 
 PV_FILE=bindings/python/notmuch/version.py
diff --git a/Makefile.local b/Makefile.local
index 8535844a..eb599565 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -40,7 +40,7 @@ $(TAR_FILE):
 	@echo "Source is ready for release in $(TAR_FILE)"
 
 $(SHA256_FILE): $(TAR_FILE)
-	sha256sum $^ > $@
+	sha256sum $^ | gpg --clear-sign --output $@ -
 
 $(GPG_FILE): $(TAR_FILE)
 	gpg --armor --detach-sign $^
-- 
2.20.1