From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 8419C6DE0EB8 for ; Fri, 15 Mar 2019 06:49:05 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.139 X-Spam-Level: X-Spam-Status: No, score=-0.139 tagged_above=-999 required=5 tests=[AWL=0.062, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id id0pcLURYLAg for ; Fri, 15 Mar 2019 06:49:05 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id 209446DE0ED6 for ; Fri, 15 Mar 2019 06:49:03 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1552657741; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=WTPmYVPqkmfCGNCTOOzrj8shAN/lUMUeSnMtPcP1m18=; b=28Bm5BmV4kydoao+T5MRmATl0b7TcKQaqGJrJXzChYolejQ/r6OH8mzU NEx1jeyuLFsME3UB+hfkv5N+K0EcDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1552657741; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=WTPmYVPqkmfCGNCTOOzrj8shAN/lUMUeSnMtPcP1m18=; b=uQ7f7r6twkEjxQQJ1ObcZk8dls3wU8nRVOoALa1Dy4xAkr7dl5lcyVJR mwMeRs10a9FLtpubDY/gjzMneLh8RLtEmx9JjcdTVFtElC70QSDqKPXLT+ BE6qxqSMGrgFHsXQQr+zQ7o8rJXTVwm2GM20mCplK3InfMDuCHnHfaJbGD gyEQk0KwVLx0btDB0RMdi2NyDOPQP657C78UBY3LbLAB+CiCrL5GTGtiIm 7nnco9lxapZXHleUVPJIW9U3+j8QgCRv0zPa6nbnMxHLQzFpzlAw2sSyui LKUxBdzZlQLuZNwUWkvDJyBI/P91pI369m67smkcZNGhgMs4iJM9BQ== Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 2C6EFF99E; Fri, 15 Mar 2019 09:49:00 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id E9B842055A; Fri, 15 Mar 2019 09:47:28 -0400 (EDT) From: Daniel Kahn Gillmor To: David Bremner , Adam Majer , Carl Worth , notmuch@notmuchmail.org Subject: Re: [PATCH] build: sign tarball instead of sha256sum In-Reply-To: <87ftrobefn.fsf@tethera.net> References: <87mun16gmm.fsf@wondoo.home.cworth.org> <20190213021703.18412-1-david@tethera.net> <87lg1kcqg8.fsf@tethera.net> <87ftrpgjdb.fsf@fifthhorseman.net> <3bbd5c2e-54b7-dbbd-6065-68ce2c2005fd@suse.de> <87tvg4wm2v.fsf@fifthhorseman.net> <87ftrobefn.fsf@tethera.net> Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Fri, 15 Mar 2019 09:47:28 -0400 Message-ID: <87o96cw8pb.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2019 13:49:05 -0000 --=-=-= Content-Type: text/plain On Fri 2019-03-15 07:49:16 -0300, David Bremner wrote: > BTW2: In a sense everyone has other defences since the tar ball contains a > file "version" with the version in it. Right, if there was a standard/conventional way to indicate the package name and version information *within* any source tarball, that would be a great simple defense. The closest we could come to such a convention might actually be the name of the top-level directory within the tarball itself: notmuch's tarball unpacks to notmuch-0.28.3/* regardless of what the tarball's name is. But while that practice is fairly widespread in many other projects, i don't think it's nearly as universal a convention as stuffing the package name and version in the tarball name itself. (note that uscan in particular extracts the version from the tarball name, not its contents) Do you know of any code that actually makes use of that defense? That is, any code that says "fetch version X of package foo and its cryptographic signatures; verify the signature over the tarball, and also verify that it unpacks to a directory named foo-X/ before returning success" ? That would be great if it's out there and i'm unaware of it. I suppose i could test such an attack on uscan itself, but i haven't gotten the bandwidth to really trying it out. If someone wants to try it, i'd be happy to read a report! >> David, how would you feel about generating two forms of cryptographic >> signature per-tarball as an interim process? > > Yeah, that sounds fine. IIUC, the old .sha256.asc and the "new" > .tar.gz.asc? sure, though i'd change the .sha256.asc to be a clearsigned file instead of the current ASCII-armored OpenPGP message that it currently is (as Adam suggested elsewhere in this thread). And we can ditch the .sha256 itself, which doesn't seem to be doing any useful work. --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXIus8AAKCRB2GBllKa5f +ERfAQCA8UDcR2snlrVpsaSMzbE0cZu2LymYTAqpwzd0c1ra8QD+J0QB0Ui986CL lQ3mU7rbJiJZg5jGpvfIG9HIaHhd7wE= =bIMy -----END PGP SIGNATURE----- --=-=-=--