Re: [PATCH] build: sign tarball instead of sha256sum

[Adam Majer <amajer@suse.de>]

On 3/15/19 9:58 AM, Daniel Kahn Gillmor wrote:
> On Fri 2019-03-15 02:53:28 +0100, Adam Majer wrote:
>> adding explicit checks would add an extra BuildRequires in the build
>> process to pull in gpg, which is excessive.
> 
> It shouldn't require gpg; it should only pull in gpgv, which is already
> on the base system, no?  And once the "small file" is checked, it would
> then require sha256sum (or the equivalent) to verify the tarball itself;
> on any modern system, that's likely to be available anyway
> (e.g. coreutils' sha256sum  or "openssl dgst" or whatever).

# osc chroot
running: sudo chroot /var/tmp/build-root/openSUSE_Tumbleweed-x86_64 su - 
abuild
# gpgv
-bash: gpgv: command not found

With openSUSE, the closest thing to a base system for building would be 
in this log,

https://build.opensuse.org/build/home:adamm:boost_test/openSUSE_Tumbleweed/x86_64/boost-defaults/_log

Since this is just a dependency package, it has no BuildRequires. The 
base system is just what is needed to run rpm, rpmlint, etc. so 122 
packages. No gpgv or gpg or python or ruby. Only gcc, perl, rpm.


>> Instead of reverting, how about distributing the .asc file and an
>> inline signed checksum file?
> 
> The checksum file (*.sha256.asc) that is distributed by notmuch is
> already inline-signed (please read my proposed verification step
> upthread), so that part's done.  (notmuch does *also* ship an unsigned
> *.sha256 file, which i agree doesn't serve much purpose and could be
> dropped)

Sorry, I meant clear signed and inline. The checksum file could just be 
*.sha256 and be itself clear signed. Then people see as a checksum file 
and when they look inside, they see it as signed. There is no reason to 
have the checksum file encoded.

The (my?) expectation is that a *.asc file is a detached signature. 
That's why GPG is warning when it is not a detached signature. But I can 
live with .sha256.asc if there is no .sha256 ;)

- Adam