From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id D635B6DE0B72 for ; Fri, 15 Mar 2019 04:36:01 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[AWL=-0.250, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id plvEAYK0XQMo for ; Fri, 15 Mar 2019 04:35:59 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de [195.135.220.15]) by arlo.cworth.org (Postfix) with ESMTPS id 6C6616DE0B36 for ; Fri, 15 Mar 2019 04:35:59 -0700 (PDT) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id AE3D1AF6E; Fri, 15 Mar 2019 11:35:56 +0000 (UTC) Subject: Re: [PATCH] build: sign tarball instead of sha256sum To: Daniel Kahn Gillmor , David Bremner , Carl Worth , notmuch@notmuchmail.org References: <87mun16gmm.fsf@wondoo.home.cworth.org> <20190213021703.18412-1-david@tethera.net> <87lg1kcqg8.fsf@tethera.net> <87ftrpgjdb.fsf@fifthhorseman.net> <3bbd5c2e-54b7-dbbd-6065-68ce2c2005fd@suse.de> <87tvg4wm2v.fsf@fifthhorseman.net> From: Adam Majer Organization: SUSE Linux Message-ID: <4e447225-0b1e-5142-20fc-492a35e2f314@suse.de> Date: Fri, 15 Mar 2019 12:35:55 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <87tvg4wm2v.fsf@fifthhorseman.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 16 Mar 2019 06:19:39 -0700 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2019 11:36:01 -0000 On 3/15/19 9:58 AM, Daniel Kahn Gillmor wrote: > On Fri 2019-03-15 02:53:28 +0100, Adam Majer wrote: >> adding explicit checks would add an extra BuildRequires in the build >> process to pull in gpg, which is excessive. > > It shouldn't require gpg; it should only pull in gpgv, which is already > on the base system, no? And once the "small file" is checked, it would > then require sha256sum (or the equivalent) to verify the tarball itself; > on any modern system, that's likely to be available anyway > (e.g. coreutils' sha256sum or "openssl dgst" or whatever). # osc chroot running: sudo chroot /var/tmp/build-root/openSUSE_Tumbleweed-x86_64 su - abuild # gpgv -bash: gpgv: command not found With openSUSE, the closest thing to a base system for building would be in this log, https://build.opensuse.org/build/home:adamm:boost_test/openSUSE_Tumbleweed/x86_64/boost-defaults/_log Since this is just a dependency package, it has no BuildRequires. The base system is just what is needed to run rpm, rpmlint, etc. so 122 packages. No gpgv or gpg or python or ruby. Only gcc, perl, rpm. >> Instead of reverting, how about distributing the .asc file and an >> inline signed checksum file? > > The checksum file (*.sha256.asc) that is distributed by notmuch is > already inline-signed (please read my proposed verification step > upthread), so that part's done. (notmuch does *also* ship an unsigned > *.sha256 file, which i agree doesn't serve much purpose and could be > dropped) Sorry, I meant clear signed and inline. The checksum file could just be *.sha256 and be itself clear signed. Then people see as a checksum file and when they look inside, they see it as signed. There is no reason to have the checksum file encoded. The (my?) expectation is that a *.asc file is a detached signature. That's why GPG is warning when it is not a detached signature. But I can live with .sha256.asc if there is no .sha256 ;) - Adam