From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 272AF6DE0ED6 for ; Fri, 15 Mar 2019 07:18:23 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -2.515 X-Spam-Level: X-Spam-Status: No, score=-2.515 tagged_above=-999 required=5 tests=[AWL=-0.214, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hOm4D8O3m1Iz for ; Fri, 15 Mar 2019 07:18:21 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de [195.135.220.15]) by arlo.cworth.org (Postfix) with ESMTPS id 09FCC6DE0B72 for ; Fri, 15 Mar 2019 07:18:21 -0700 (PDT) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 73CB2AEA9; Fri, 15 Mar 2019 14:18:19 +0000 (UTC) Subject: Re: [PATCH] build: sign tarball instead of sha256sum To: Daniel Kahn Gillmor , David Bremner , Carl Worth , notmuch@notmuchmail.org References: <87mun16gmm.fsf@wondoo.home.cworth.org> <20190213021703.18412-1-david@tethera.net> <87lg1kcqg8.fsf@tethera.net> <87ftrpgjdb.fsf@fifthhorseman.net> <3bbd5c2e-54b7-dbbd-6065-68ce2c2005fd@suse.de> <87tvg4wm2v.fsf@fifthhorseman.net> <4e447225-0b1e-5142-20fc-492a35e2f314@suse.de> <87r2b8w956.fsf@fifthhorseman.net> From: Adam Majer Organization: SUSE Linux Message-ID: <679ab32b-74c8-37e7-689a-73dacc9b647f@suse.de> Date: Fri, 15 Mar 2019 15:18:19 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <87r2b8w956.fsf@fifthhorseman.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 16 Mar 2019 06:19:39 -0700 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2019 14:18:23 -0000 On 3/15/19 2:37 PM, Daniel Kahn Gillmor wrote: > On Fri 2019-03-15 12:35:55 +0100, Adam Majer wrote: >> # osc chroot >> running: sudo chroot /var/tmp/build-root/openSUSE_Tumbleweed-x86_64 su - >> abuild >> # gpgv >> -bash: gpgv: command not found > > That's surprising to me, but i'm ignorant about SUSE so you shouldn't be > surprised at my surprise :P > > How does this system cryptographically verify its software updates? or > is it never updated? or updated "from the outside" or something? There is a different service that checks for signatures and keyring files that come with a package. This happens at checkin phase or at some review phase (some automated review bot would then verify signature too before allowing to accept it into more important project). Of course, one could just not have any signature then it would just be skipped. The builds don't check this as once checked in, integrity is handled by OBS and most packages are not signed :( But when you checkout a package, you can at least verify things. OBS has backend called `signer`[2] that is responsible for signing RPMs and repository files (used by zypper, which is like apt) with a project specific key (you can configure your own key per project). The nice thing about OBS is that anyone can fork any project and add/update a package, make an image, and use that. Or pick software from various projects and OBS will rebuild things if build dependencies change. It builds Debian packages too [1], Fedora, whatever, although mostly it's used for SUSE/openSUSE projects. This is actually how SUSE makes products based on other products and things remain consistent. The weakest points of all these verifications are the upstreams. Many have no signatures at all. Clearly, notmuch is not the example here :D - Adam [1] https://build.opensuse.org/package/show/home:adamm/Nudoku [2] https://build.opensuse.org/monitor