From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id A5A2E6DE0A7F for ; Fri, 15 Mar 2019 03:49:26 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.014 X-Spam-Level: X-Spam-Status: No, score=-0.014 tagged_above=-999 required=5 tests=[AWL=-0.013, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03rfNU0aJa03 for ; Fri, 15 Mar 2019 03:49:25 -0700 (PDT) Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197]) by arlo.cworth.org (Postfix) with ESMTPS id 27F0A6DE0B64 for ; Fri, 15 Mar 2019 03:49:25 -0700 (PDT) Received: from remotemail by fethera.tethera.net with local (Exim 4.89) (envelope-from ) id 1h4kOr-0005yz-Ra; Fri, 15 Mar 2019 06:49:17 -0400 Received: (nullmailer pid 23172 invoked by uid 1000); Fri, 15 Mar 2019 10:49:16 -0000 From: David Bremner To: Daniel Kahn Gillmor , Adam Majer , Carl Worth , notmuch@notmuchmail.org Subject: Re: [PATCH] build: sign tarball instead of sha256sum In-Reply-To: <87tvg4wm2v.fsf@fifthhorseman.net> References: <87mun16gmm.fsf@wondoo.home.cworth.org> <20190213021703.18412-1-david@tethera.net> <87lg1kcqg8.fsf@tethera.net> <87ftrpgjdb.fsf@fifthhorseman.net> <3bbd5c2e-54b7-dbbd-6065-68ce2c2005fd@suse.de> <87tvg4wm2v.fsf@fifthhorseman.net> Date: Fri, 15 Mar 2019 07:49:16 -0300 Message-ID: <87ftrobefn.fsf@tethera.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2019 10:49:26 -0000 Daniel Kahn Gillmor writes: > On Fri 2019-03-15 02:53:28 +0100, Adam Majer wrote: >> adding explicit checks would add an extra BuildRequires in the build >> process to pull in gpg, which is excessive. > > It shouldn't require gpg; it should only pull in gpgv, which is already > on the base system, no? And once the "small file" is checked, it would > then require sha256sum (or the equivalent) to verify the tarball itself; > on any modern system, that's likely to be available anyway > (e.g. coreutils' sha256sum or "openssl dgst" or whatever). BTW gpg is needed to run the full test suite. > But you're right that we could distribute a detached signature over the > tarball in addition to the stronger mechanism. that way people who have > other defenses against rollback or version fixation attacks (or who > are willing to take the risk) can check the simpler, weaker mechanism. BTW2: In a sense everyone has other defences since the tar ball contains a file "version" with the version in it. > David, how would you feel about generating two forms of cryptographic > signature per-tarball as an interim process? Yeah, that sounds fine. IIUC, the old .sha256.asc and the "new" .tar.gz.asc?