unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
* Release signatures
@ 2019-02-06 10:48 Adam Majer
  2019-02-10 13:51 ` David Bremner
  0 siblings, 1 reply; 26+ messages in thread
From: Adam Majer @ 2019-02-06 10:48 UTC (permalink / raw)
  To: notmuch

Hello,

The releases are signed in a funny way. The .asc file are not detached
signatures of the checksum, but actually contain it inside the .asc file.

# gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc
...
gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072
gpg: WARNING: not a detached signature; file
'notmuch-0.28.1.tar.gz.sha256' was NOT verified!

A much better way of signing this would have been as a detached
signature of the tarball itself. Why sign a hash of a hash? ;)


# gpg --detach --sign notmuch-0.28.1.tar.gz
-> notmuch-0.28.1.tar.gz.sig

Then you can verify this is a properly signed binary,

# gpg -v --verify notmuch-0.28.1.tar.gz.sig
gpg: assuming signed data in 'notmuch-0.28.1.tar.gz'
gpg: Signature made Wed 06 Feb 2019 11:37:19 AM CET
gpg:                using RSA key 4BE7C1D3CC65813AF349D42F864508B01B2679CF
gpg: using subkey 864508B01B2679CF instead of primary key E523F220AC8DFBD0
...
gpg: binary signature, digest algorithm SHA512, key algorithm rsa3904

The digest algorithm is from the key preferences, which you can change.
You can also specify it as --digest-algo option, if you prefer.

Best regards,
- Adam

PS. I'm not on the list. Please cc me if you would like any response ;)

^ permalink raw reply	[flat|nested] 26+ messages in thread

end of thread, other threads:[~2019-03-27 21:02 UTC | newest]

Thread overview: 26+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-06 10:48 Release signatures Adam Majer
2019-02-10 13:51 ` David Bremner
2019-02-11 23:37   ` Carl Worth
2019-02-13  2:17     ` [PATCH] build: sign tarball instead of sha256sum David Bremner
2019-03-12 10:55       ` David Bremner
2019-03-14 22:51         ` Daniel Kahn Gillmor
2019-03-15  1:49           ` David Bremner
2019-03-15  8:48             ` Daniel Kahn Gillmor
2019-03-15  1:53           ` Adam Majer
2019-03-15  8:58             ` Daniel Kahn Gillmor
2019-03-15 10:49               ` David Bremner
2019-03-15 13:47                 ` Daniel Kahn Gillmor
2019-03-15 13:56                   ` David Bremner
2019-03-15 14:50                     ` Daniel Kahn Gillmor
2019-03-15 14:30                   ` Adam Majer
2019-03-15 16:48                     ` Daniel Kahn Gillmor
2019-03-23 11:21                   ` [PATCH] build: distribute signed sha256sums Daniel Kahn Gillmor
2019-03-23 12:35                     ` [PATCH v2 1/3] build: ensure that SHA256_FILE is built Daniel Kahn Gillmor
2019-03-23 12:35                       ` [PATCH v2 2/3] build: distribute signed sha256sums Daniel Kahn Gillmor
2019-03-23 12:35                       ` [PATCH v2 3/3] build: Rename GPG_FILE to DETACHED_SIG_FILE Daniel Kahn Gillmor
2019-03-27 21:02                       ` [PATCH v2 1/3] build: ensure that SHA256_FILE is built David Bremner
2019-03-15 11:35               ` [PATCH] build: sign tarball instead of sha256sum Adam Majer
2019-03-15 13:37                 ` Daniel Kahn Gillmor
2019-03-15 14:18                   ` Adam Majer
2019-03-15 13:50                 ` David Bremner
2019-03-15 15:35                   ` Daniel Kahn Gillmor

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).