From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 2A6DA6DE0C66 for ; Thu, 14 Mar 2019 19:03:48 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[AWL=-0.300, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJdU_MMRUrTy for ; Thu, 14 Mar 2019 19:03:46 -0700 (PDT) X-Greylist: delayed 614 seconds by postgrey-1.36 at arlo; Thu, 14 Mar 2019 19:03:46 PDT Received: from mx1.suse.de (mx2.suse.de [195.135.220.15]) by arlo.cworth.org (Postfix) with ESMTPS id 78A886DE0E75 for ; Thu, 14 Mar 2019 19:03:46 -0700 (PDT) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id E8167ADCF; Fri, 15 Mar 2019 01:53:30 +0000 (UTC) Subject: Re: [PATCH] build: sign tarball instead of sha256sum To: Daniel Kahn Gillmor , David Bremner , Carl Worth , notmuch@notmuchmail.org References: <87mun16gmm.fsf@wondoo.home.cworth.org> <20190213021703.18412-1-david@tethera.net> <87lg1kcqg8.fsf@tethera.net> <87ftrpgjdb.fsf@fifthhorseman.net> From: Adam Majer Openpgp: preference=signencrypt Autocrypt: addr=amajer@suse.de; prefer-encrypt=mutual; keydata= mQINBFJv4lkBEADcOUzrFFcKO4DVpbcI6R2Jo+j5rhaf4qevom9ejz2lNKK4CZOXCsC33Okq PY0OAZzzUyEohyU+wXNGk75gYKhRjXVvB4oq+ye1fzykusNFbmTuWS+PM6Y/d/ER3ZZHDKtT Uzm2myB5aHPSUb1Z1iDGDbNVEGMnav8tuvFCrEUGCyYLNQ9NRVTCndJOKVfDNZAOin237G2n DRxCwOu49BaQ94OGGV3ooA61b9tmoGahmZKi+lJmzOUrWGZZh/mbIbgFvb1KBCFVKGEI5ttb 6Nk/wF0xQFG1Y3/HepQ+OL2i6XPnEdIUuPeVEO/FIvJ2oVqwkMF4qqOp3x1uLT5s5mWI1FG4 qRqtzNVksQXB33b2qo2+TZSQGbHBSl05q3H3/UZWwCJSxzxuqko+0kiGKm0uQiKYAzEfIA2r xi8JHivL8OLJVF7emuGS2jFHIqAgQx0kpQFa33yRb548pwTXCQHE36kdN9d2XNtBeWncsAiT mYX896ol9xcZeePOoIZZxc8caZz446XD9JuBGFLDPrr2ODnZ1Vq3G7uwtxtIU+BcZYViyH6O gaCQ6gcHzWn8ko8F1gs9yncvz4Ml0SL9Fnlu+9UNtmLK6pWySbDgv6VqM+LMnsufcvKhfPU8 1HkHNa/fEe/uuaBWSkiMpDo75ZFr2r9AJF7IhGhXAZYkRjNg5QARAQABtBtBZGFtIE1hamVy IDxhbWFqZXJAc3VzZS5kZT6JAjgEEwECACIFAlc7j8ECGwMGCwkIBwMCBhUIAgkKCwQWAgMB Ah4BAheAAAoJEOUj8iCsjfvQOn0QAIHeBm3LC4mcALXKcuxR3kORg5flT2rfQBkPUXtECw7A kVsz9RSIvYNOVgbIy8/4ELaBnoSfULbz7g+SvebSNN6kf0B4eK3LFCxR48lgfjN8np9O5pHX T5WAQHnot/u7JAxHzPD8GrATVOM66pUjtJfnDtpKzRDyEaKIkFQ04u5Kka2tbq2iZWjZ/Y35 PwE57a8Zj/LiFwENDsIO7gE8jBLzU2A1XjQCIZ985sZKg4u2Gf/jFHm+M1dN2K5SZ42qRYRd 2RnDb5ROHqcj5/g2iNITS6KeIiwrhvg7aeSVyq7tmRZyizfyeK6WbYZ5xaky9yip817B/oNE TClrtTWmqCbinzJ67Y5+OtVCLGc7SBjExEnip7nMKtYjBq+V3iNAaGeulReoOcXjiEmKO9pP ZrFx5H/xNT3eqzU2xR0pVU/cOPoCvWLB+F75Q5aaNgpxDSXJqKzVlpEnwu+OTlA3lFmvuGR4 ZtZif/XDCk1xfRKB9afyHT9JQ8xztN7sYiMMALgJPq3MDcvDaJvXgYXBMbEL3kuEDLqONw/y q4EWo3sBKxby3NgMpCuKaAqVox4XQDVL1ZyBQ5X3tLTb3To+gsu62i1OmJmmti4Opl2vZ7SL +9d6gn2AcSyA2140kLR0Wvg2J47zEJF1Eh3/2DJ1mhdv/YXz3ZOvDDqcrfEcJKHQuQH1BFbK g8kBD0Do5HJ6KdgAAFtN+96tdHDKPpXi9wDa6TXbWIFTY7fH8FfDxBbWQE262qfmdgiJxhy0 6FTkQIiYzKXZR7aLvA5k0jCtRfYuyD9m0jD+AkW9o/XZrEHdzXA6ScNQQllknAflqHPpx8n8 Sy1jHrZS5ImvrO2Bkv5jXDKSH88AAxwak1t3IqmnUJaZ71tDxvbxRNJtHt9SF0m3RrBTTM1O H5+3IPg1lKigJMxNGDGsAxTN3mkH9T83ZMaRx9JKNUcpJI5b9DYZxEgYpvHhweZZQNATSUXL KR/usMSU/zO5RrrAPBwtFDJ9ASjdfVwgAltMgjQ10thbBnRHFDTvdEnU/NRcLf4rWZElVIQY PR2hc1j4mSr9qVG3zLCuXpeXSJhq3mBLDS0EvOik419z2Q05UAxD5Ka6r0FzQc8H10lMc6ld Prry1YczUuxVy+RxQayzeX2jGYzHVTJLtsLjmGC+BlYfRPuXGkTcRZnLcOEpbsIulnmvgKnw M077qZmj/FZbqnTcnsC5xBCZFurldWvpJAbuRifV0cStJBdHhtVruD0eQ3SkakS4iAB9U8ba bPaNgLlERyj34qiqjQcY0YCePBfsxbsVB6K+tJFCevWXcdO6fmszuzCFpmJynuTEXs09lsEZ hVlkKQAtQQARAQABiQIfBBgBCgAJBQJWyoPJAhsMAAoJEOUj8iCsjfvQkokP/R83tzdrKi0I FcOjoto2USS1NEyKFKRy66PeMR8An8LwO4Mfi6SrjTSP6z6QZf4/Z8iZb9rAKHQxp/WXx5d6 fBetu5Il8E88MWmoQxrtJL6jczT0oMSxPzeD/4jRPjvnB78aHl6hIqmEKv/Ch94J8tejFXdg 6jtnwkCk3/h/tHOkDk5aefLvlcG/xnm0wYVi607PjzJsxwSc/gba72FgykyEHQhjmfcuoOmB eN+PLK7qk3X4P+NAvYBEQuCm62iaxvJT5q++UIVemkWEqWjTLOz2OTl12ToHDOGQOMdBruw+ C7kyA0k0DYNjIIVQYEmXpKVD4EwYN1IfFH4Y8onRPFB/U70svLIq2FRrza6Vjxk9aZdTeOdi o8Dp7l6L3sfV7MndV2Q+PBaOwV1uO9CZuoWMRbXXydB4OtSTuWpclncf4Y3NseMEWjmE0v8l /XiqDozU4YRNCU8ocex5BBjp9dYPxqZsEK2TZYg29viZEs99O/0OuvtM9u83jJI722yjSMp8 Nc2Y2I4sDR0oTdVR3id8ndbRikDbX/wlVf+HQAOnwPmR9vhM4y1PzRSj4/Owhpmv1omMFiZu hMHId3gPS3iLVQSuUJKVvnPtwUMAON34VVgN6YA+sm4kBq44oUkQ8od4winYGe1Y2MNL6rxf LqlKWTjUxZMApuNDH9pjmXzvuQH1BFbKhLwBD0CyazWEatk7lkY2aF7jXgdv2KqnTtagRjzY E/7zXDJcbaRfmSl1caOaDlvsCF80+omkTx7QZ6O9BdAN8Jilo4ovf0fPhbgxQgpDv5M8Im+t 0iuDuopPyDSHQTkOaJ0//iPWStltO5Dg0ApDkBFkFX5KdWN6BpGaYWhfrpiqBYCevxbatx5V WZ039PunUEEza3n3cDNrVz38XNsZvnPEZ6HP73OXpE+9U70lJ8DQj3kJTjyOCVOXnGTiP6g5 Y4GWnRZ5YCBdMyqXm5eThO0P6Wi3LHbGd4M0U26NUuRK8G7K4PhqaJmxEz0O51nJDUGlhhgE UR1uIYyUJsAB/vVKw+nwiqG7Fj6n/spKvyAKrmXeONlg29Y/E8yI805z1UXGblauLzchvvMS dDH6vK8ri4RWmG95EW+TlcPmtJCw4fIAJ7kjoZoVU9OXSfHPj7nd5QHztZdjqSfiMEEgzs83 fu7bqcyR11Pi8KQcDvHJMj/hLrTMIKhj7PPpNcuoBXvBDrny1m5zewUWVE0DyG/1kVZU1Vmn 5h557+6kjKHAow1PSst1Sk854u1AVv/yCIzWbTWOheE2gAwCN+teRQIbdIFEBDNzMc/yC08W 4JjVo5MTrTftnNdQ360cjUBkJMc+lfaaz1H7Yi8aswARAQABiQRDBBgBCgAmAhsCFiEEkLZq aVu0VX8ijOmJ5SPyIKyN+9AFAlmaEGYFCQg30qoCEcFFIAQZAQoABgUCVsqEvAAKCRCGRQiw GyZ5z0CMDzsEDH/ugaJAS3Q2UWWYT3yp6U/YbHT/y8I637vZsh1Iu0c8Etri0Z+kOm4bBuyP 49x0EfubrpCy/nM6oM1euC2cWppweSZkZsq/ReclbBG+4IqSagX7jaNvMgS1nRNS3VwnWOIy ptPeTcoZbomoCpvd0KSv0KjfIltp7NmuFd5xusorCKUNQ8ouHNxtrfST+wPyE9Tuc7tm8XhG /UNFxGnxams9naGBNJBVs3+b7RsmdDEJEuquas1m8KPuGjr2WoBUh3gYAc4bbvMYnV3Uw9Re frODcy5Ievzu7Q8O1xsCQoegkXqwRs+K5FTU/Ayj5DAe0fYfzYiBCuhJKOjifgEWib7a3EbQ 6Yzcaz6Ze2G0gSUqjxjDhFnblIfFwkZDNLeH/n+yMs+VMPheyxNhj41NsQuREa29lRzcUbBK YQp74cRxg/3MQXIdzno7tKDa9w4iRkn3/u8LGo7WGeozZZuTQ4IzqAMeV4zrKUNKY4k+yjja RQE0Xo0+Mqgy7IR5BR+bzjvccX7vdz3js1WRWU1OoNz0NDjL0Pv1KipbSYn6U2D1BUjO8gxN C3TzaFpUbbZisCNUj5ZYYH5ptM9ovUIWKO/HGpqsDLyIbPjSiBGb3SgcMn+n1c1qlXwp7yDu Utc8HiXMpKkt7gkQ5SPyIKyN+9BgARAAyNUvqysnB3H/9vFAKHzqD1vBWSfTlJMTb5cDjFPF kF3UtYXmlnrwixEMDRCG7aZYh/ZkEZLHZu+QvffW95RNJKraDRxjkFl+67Vpe5jmvVmwaF/g GcbEdRKs5bxougDbDa1eUxjjiZaZFlPGniVpZATH1GBu83JMy3Dywvh/VRv6oLaFJrITzK0E chs/K+QvhhUtVQERuByhIRKJLyzo+knHpyfjhPxKBnRUY6/76sKQgh+FFe4VzlpMpagZ/Ray EQfl7GyaRfrzJnfUsdXlxZVzBEzAGPedwScqyYW6V+DItyyngwrxzab9kFnzx6ChaS2b+0Ms xcqAignXmkv6X/k7u533rsQGKmD0E8u1yYHc52hhBIIwbDp5w7JMr6QUVw5MsdZIJ4GXgjoU U6b1cT9KWRhbPkdcSKqVriHtpIy0vSGyfgvMDO47QJS/jNSk5Vi07PSxsXNCWDfjeBJH7zH5 E7DpbP0i4HRBiUTJryvztTPlIyvgB1vL1F5t4dAUv+dbl3dsSLwmW/0dGp4FrwLZ+vOKsR8G /uHoUj3kyrQ3agoZl38l7xhhk2jbwFhc8gKuEEVVOiV3j2y8WpY7CG2pr5InuOK3Wly7Ar8j m0RXVIjYCXtX5kwLgbyZtpjQ980GRn3BxP3bYWv/stvOk9YwIN1JZJuMpLbJqd2RuQm5Ag0E Um/iWQEQALOzJu2pTrxRNQyNoR+WyiCAYeqGPG+DHumzWfGBq3E5bnwd3uMgMkFgpxPUu8mk xmJvi/S1mB1NHd4VjD832vikoSUTjpXy1jWZB9W8ytl+XWi/8QAdy3gpwnHOqk98VfWXvsI5 5ZCU5mQuCTV5hEp7prAFuS/qQj+NuSGUsCDREWYmrEQXHW+b1/YE1EsmkQxhp5hQexPhZ3JL b23bwudniAQEGhdLf96Sa8Mvn91tgAs6C71tUBfljuGljqmnx/JTXpWp7RD4uUQ49eqG+5HJ i9isIwfglwAJRRNguXKlVhhNj3MesVuPYdOX3pdrwzDR4o56cUaiRawD5S85vTQRXxaOn3ui KO9CiEdaNhx0+l4qSN892XPaCSHMtFd53UYZTmk1/TYqpeCXzu/9JDATBDfo3vx88UHuFYuW KrBWXqyf60ZTeOlqN1LQKxSc0gp0svl7rFJlgvjd5C7vTKzQ0Ayf0py/1y81K2AGCYTxeWmv ZR1Hls1Zb0r6ggPlJbn3xf/IjYnYEV6oKih+iD6SLpIKWiLT5opp6KNVtJ3cb8/Gxgp0eLZu K0l/Oy0Ijedo5AQvUC8o+3OG2AqdIL2a5nMOyauTzqrephh6GOs56TT3pAV5v5M/Jaz1TFOZ 8LRzny8W6rOU4nITmrOIR8v1OKbqEiG91MmDSaSmGyMBABEBAAGJAh8EGAECAAkFAlJv4lkC GwwACgkQ5SPyIKyN+9BDthAAudz3KuR3dGOs2EOhXwcog5RNTRpFKWFBfzjmOJqhWeewoSSq rwFJjSgCx4sfn/E5i4lmRdP+opc70uhmPUrpAdDMc/QA8UFqLVSUmdGVnphuokTZDdear9Pz xhdqfY7py0ASJpB7i6VyFTPwKn1DniZz3p73S8AaYzeuMm3agzMKzVX2u87Xjb5lKZXczEQU s5WOamviupktzFlrCUVePmdGQJ/1XUBpn4Sdxas2TbZfuBlVYW3wQbXPLM3y9iv0GOrge4gR kCo/m/1qyL5WDWjU7HFNBfJgLTSDcWUpPodTXbWwD9WhlllTZThF/f1iDRHV3xXBE6yzSHdl o4+IC45zxpdAr9D2VzCAdwZo0QP86CMiYnXoo8HsXMNH0QAe3RboEo38HS+++CPPk3mMrIqp p7e2JIY7DMBNJbzQHR15Fe7N5RhW4eWf7qgW80A3hAQqwyVfRgg4QEoddnzIXDyttj7Z8ylh hDn8p94lCYy2sGypGRuN57gAIwYq3H/mod80D4gAe/tdjbwovvXQhd/QvFyRpe+XKzRyb7jC 53CdKpgFxezSAY4+fCc8bMQ997W6vvqCDlfHYRweUp10JixYGQYb4ZwvXwgUCzyVcnZwENmI R6VrU8ayeE9MDarRhTFwe8M26sdXpRNfdujow5YS6HoZERH/ePJqv2h1f6w= Message-ID: <3bbd5c2e-54b7-dbbd-6065-68ce2c2005fd@suse.de> Date: Fri, 15 Mar 2019 02:53:28 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <87ftrpgjdb.fsf@fifthhorseman.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Sat, 16 Mar 2019 06:19:39 -0700 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2019 02:03:48 -0000 On 2019-03-14 11:51 p.m., Daniel Kahn Gillmor wrote: > Sorry to only be getting to this now. I think the original mechanism, > despite being non-standard, is actually a more robust approach, so i > recommend reverting this change. > > A detached signature on object X does *not* cover the name of object X. > > So for some existing version Y of notmuch, if an attacker takes > notmuch-Y.tgz and notmuch-Y.tgz.asc and renames them both to > notmuch-Z.tgz and notmuch-Z.tgz.asc, they can make it look like a new > version (version Z) of notmuch is available! All other software I've encountered, the tarball is signed. This semantic allows for automated checks by our Open Build Server instance to make sure there is no file system corruption or other modification. If something else is signed, like the sha256, then only that small file is checked. In this case, adding explicit checks would add an extra BuildRequires in the build process to pull in gpg, which is excessive. Instead of reverting, how about distributing the .asc file and an inline signed checksum file? Then you have both signed. Just sign the .sha256 inline and sha256 will verify and at least it will not look like a detached signature. And `sha256 -c` on signed file directly also will work. sha256sum notmuch-0.28.3.tar.gz | gpg --clearsign -a - > notmuch-0.28.3.tar.gz.sha256 gpg -b -a notmuch-0.28.3.tar.gz And then you have signed sha256 for people that want to check that. And you have a detached signature, for people that want to use that. And need to have funny looking unsigned intermediaries and detached looking signatures that really aren't. - Adam