From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 37DDC6DE0B72 for ; Fri, 15 Mar 2019 09:49:21 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.142 X-Spam-Level: X-Spam-Status: No, score=-0.142 tagged_above=-999 required=5 tests=[AWL=0.059, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_EHADa-ozvD for ; Fri, 15 Mar 2019 09:49:20 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id 545896DE0A7E for ; Fri, 15 Mar 2019 09:49:20 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1552668558; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : content-transfer-encoding : from; bh=nAan2H+JGPpHWb+d6AS9ksxnkzgE9ot8lOgzrbyo+3s=; b=Ye1Egyf0G4W0/K367zq9VgMFq0VBkbHsTX93y3e5g61S9+Q1I0m2SLEc SsjqupXu2fsQVYmnd9kwHtGPV1mTDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1552668558; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : content-transfer-encoding : from; bh=nAan2H+JGPpHWb+d6AS9ksxnkzgE9ot8lOgzrbyo+3s=; b=wrvzhsfAkHBhhF0XGfC6INn9Yt5zCX0OsUGvSACQ8bzSzkqw2srG1UNh oToOmDseOAmNsQqWyKkksBwEjf0AVgg1sXIUZfP7w4KzVT2vEeZI1kQqC7 h0motawrp3rCNFy67s+woJExIsgwdlACOIYV6QMx3ifZE5mabA7TYWWNCr hJh/9MPGvK5ayc8drV0qrGsC/gJlq1ZacgAY8Q+pJBgw+pKydoZG81ltUZ NKq5LXiWDyFoJkuj5UgOpgRbldtVUdt+cS1v7RtF6k8+9He9bxPO9cQj4n 5+vmSEzSvGSH3qwtrjMkZPT4PMlfkR2bm8YBlWQXMxg611d4u+0J5A== Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 67D1AF99D; Fri, 15 Mar 2019 12:49:17 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id 44C1C204C8; Fri, 15 Mar 2019 12:48:22 -0400 (EDT) From: Daniel Kahn Gillmor To: Adam Majer , David Bremner , Carl Worth , notmuch@notmuchmail.org Subject: Re: [PATCH] build: sign tarball instead of sha256sum In-Reply-To: <8d74a186-ab58-ea1b-1c42-4112f617b1cb@suse.de> References: <87mun16gmm.fsf@wondoo.home.cworth.org> <20190213021703.18412-1-david@tethera.net> <87lg1kcqg8.fsf@tethera.net> <87ftrpgjdb.fsf@fifthhorseman.net> <3bbd5c2e-54b7-dbbd-6065-68ce2c2005fd@suse.de> <87tvg4wm2v.fsf@fifthhorseman.net> <87ftrobefn.fsf@tethera.net> <87o96cw8pb.fsf@fifthhorseman.net> <8d74a186-ab58-ea1b-1c42-4112f617b1cb@suse.de> Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Fri, 15 Mar 2019 12:48:21 -0400 Message-ID: <87d0msw0bu.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2019 16:49:21 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri 2019-03-15 15:30:56 +0100, Adam Majer wrote: > The .spec file has (I added some comments here) > > Name: nodejs10 > Version: 10.15.3 > Source: https://nodejs.org/dist/v%{version}/node-v%{version}.tar.= xz > Source1: https://nodejs.org/dist/v%{version}/SHASUMS256.txt > Source2: https://nodejs.org/dist/v%{version}/SHASUMS256.txt.sig > Source3: nodejs.keyring interesting -- i note that the thing signed here is actually a checksum file, and not the tarball itself. Please use this technique for notmuch too! does this mean that you don't need the detached tarball signature? :) > The .sig is verified vs. nodejs.keyring on checkin. And for build, the=20 > %prep phase in start of the build has, > > # this checks the checksum > echo "`grep node-v%{version}.tar.xz %{S:1} | head -n1 | cut -c1-64` %{S:= 0}" | sha256sum -c (i think this was line-wrapped; i unwrapped it and i hope i got the whitespace right) this is interesting! I'd want to tighten up the grep a bit, and drop the head -n1 (seems like it means "cross your fingers and hope we got the right one", which is not great for signature verification), and it's not clear that you need to rebuild the line itself. If you've already verified SHASUMS256.txt.sig, Why not just: grep -E '^[0-9a-f]{64} [ *]node-v%{version}\.tar\.xz$' %{S:1} | sha256su= m -c (this still doesn't properly escape regex metacharacters like . in %{version}, but it's a much tighter match than the earlier line. > # this unpacks the tarball Source0 and changes to directory > # node-v%{version} > %setup -q -n node-v%{version} > > The build would break if directory is different name. i'm assuming that this is done starting from an empty directory by default -- otherwise it could misbehave if there was cruft leftover from some other unpacking. > The build would break if checksum is wrong, but that has explicit > verification. And build would not even be attempted if *.sig wasn't > signed by a key in the *.keyring file. nice, this is very good. it looks like OBS is checking: * cryptographic signature over the tarball name (which includes package and version) * that the tarball contains a directory named with the package and version that's a robust check, and it looks good. > Not only that, because the SourceX is a URL, distributions like=20 > Tumbleweed that accept lots of submissions, have automated bot that will= =20 > download these files and compare them to what was submitted. If these=20 > differ, it will reject. This actually caught NodeJS project adding ARM=20 > binaries to their release after release and re-issuing the checksums.=20 > Not malicious, just annoying (for me :) It's great that you caught this! Does tumbleweed have a "wall of shame" for "re-released" software? I'd love to know the history of what it has caught. I'm sure most are "legitimate" mistakes. But hiding in the noise could be some real malfeasance (which is why it'd be good to get rid of the noise). At this point, we're pretty far afield from notmuch -- if others are annoyed, i'm happy to take the discussion to private mail or some other mailing list if folks would prefer it. --dkg =2D----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXIvXVQAKCRB2GBllKa5f +IezAP9a6K76MbP8UQBxeLk7UTo/OVV6GZyNCa5nSL7Lm88ziQEAhr6wydCe9LBJ wrBYRNbBLqato1XRfjBb+m8Uzz7vtwY=3D =3DeBIA =2D----END PGP SIGNATURE-----