On Fri 2019-03-15 02:53:28 +0100, Adam Majer wrote:
> adding explicit checks would add an extra BuildRequires in the build
> process to pull in gpg, which is excessive.

It shouldn't require gpg; it should only pull in gpgv, which is already
on the base system, no?  And once the "small file" is checked, it would
then require sha256sum (or the equivalent) to verify the tarball itself;
on any modern system, that's likely to be available anyway
(e.g. coreutils' sha256sum  or "openssl dgst" or whatever).

> Instead of reverting, how about distributing the .asc file and an
> inline signed checksum file?

The checksum file (*.sha256.asc) that is distributed by notmuch is
already inline-signed (please read my proposed verification step
upthread), so that part's done.  (notmuch does *also* ship an unsigned
*.sha256 file, which i agree doesn't serve much purpose and could be
dropped)

But you're right that we could distribute a detached signature over the
tarball in addition to the stronger mechanism.  that way people who have
other defenses against rollback or version fixation attacks  (or who
are willing to take the risk) can check the simpler, weaker mechanism.

David, how would you feel about generating two forms of cryptographic
signature per-tarball as an interim process?

          --dkg