From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Adam Majer <amajer@suse.de>, David Bremner <david@tethera.net>,
Carl Worth <cworth@cworth.org>,
notmuch@notmuchmail.org
Subject: Re: [PATCH] build: sign tarball instead of sha256sum
Date: Fri, 15 Mar 2019 04:58:32 -0400 [thread overview]
Message-ID: <87tvg4wm2v.fsf@fifthhorseman.net> (raw)
In-Reply-To: <3bbd5c2e-54b7-dbbd-6065-68ce2c2005fd@suse.de>
[-- Attachment #1: Type: text/plain, Size: 1307 bytes --]
On Fri 2019-03-15 02:53:28 +0100, Adam Majer wrote:
> adding explicit checks would add an extra BuildRequires in the build
> process to pull in gpg, which is excessive.
It shouldn't require gpg; it should only pull in gpgv, which is already
on the base system, no? And once the "small file" is checked, it would
then require sha256sum (or the equivalent) to verify the tarball itself;
on any modern system, that's likely to be available anyway
(e.g. coreutils' sha256sum or "openssl dgst" or whatever).
> Instead of reverting, how about distributing the .asc file and an
> inline signed checksum file?
The checksum file (*.sha256.asc) that is distributed by notmuch is
already inline-signed (please read my proposed verification step
upthread), so that part's done. (notmuch does *also* ship an unsigned
*.sha256 file, which i agree doesn't serve much purpose and could be
dropped)
But you're right that we could distribute a detached signature over the
tarball in addition to the stronger mechanism. that way people who have
other defenses against rollback or version fixation attacks (or who
are willing to take the risk) can check the simpler, weaker mechanism.
David, how would you feel about generating two forms of cryptographic
signature per-tarball as an interim process?
--dkg
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
next prev parent reply other threads:[~2019-03-15 8:58 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-06 10:48 Release signatures Adam Majer
2019-02-10 13:51 ` David Bremner
2019-02-11 23:37 ` Carl Worth
2019-02-13 2:17 ` [PATCH] build: sign tarball instead of sha256sum David Bremner
2019-03-12 10:55 ` David Bremner
2019-03-14 22:51 ` Daniel Kahn Gillmor
2019-03-15 1:49 ` David Bremner
2019-03-15 8:48 ` Daniel Kahn Gillmor
2019-03-15 1:53 ` Adam Majer
2019-03-15 8:58 ` Daniel Kahn Gillmor [this message]
2019-03-15 10:49 ` David Bremner
2019-03-15 13:47 ` Daniel Kahn Gillmor
2019-03-15 13:56 ` David Bremner
2019-03-15 14:50 ` Daniel Kahn Gillmor
2019-03-15 14:30 ` Adam Majer
2019-03-15 16:48 ` Daniel Kahn Gillmor
2019-03-23 11:21 ` [PATCH] build: distribute signed sha256sums Daniel Kahn Gillmor
2019-03-23 12:35 ` [PATCH v2 1/3] build: ensure that SHA256_FILE is built Daniel Kahn Gillmor
2019-03-23 12:35 ` [PATCH v2 2/3] build: distribute signed sha256sums Daniel Kahn Gillmor
2019-03-23 12:35 ` [PATCH v2 3/3] build: Rename GPG_FILE to DETACHED_SIG_FILE Daniel Kahn Gillmor
2019-03-27 21:02 ` [PATCH v2 1/3] build: ensure that SHA256_FILE is built David Bremner
2019-03-15 11:35 ` [PATCH] build: sign tarball instead of sha256sum Adam Majer
2019-03-15 13:37 ` Daniel Kahn Gillmor
2019-03-15 14:18 ` Adam Majer
2019-03-15 13:50 ` David Bremner
2019-03-15 15:35 ` Daniel Kahn Gillmor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tvg4wm2v.fsf@fifthhorseman.net \
--to=dkg@fifthhorseman.net \
--cc=amajer@suse.de \
--cc=cworth@cworth.org \
--cc=david@tethera.net \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).