[PATCH] build: sign tarball instead of sha256sum
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Mar 15 01:58:32 PDT 2019
On Fri 2019-03-15 02:53:28 +0100, Adam Majer wrote:
> adding explicit checks would add an extra BuildRequires in the build
> process to pull in gpg, which is excessive.
It shouldn't require gpg; it should only pull in gpgv, which is already
on the base system, no? And once the "small file" is checked, it would
then require sha256sum (or the equivalent) to verify the tarball itself;
on any modern system, that's likely to be available anyway
(e.g. coreutils' sha256sum or "openssl dgst" or whatever).
> Instead of reverting, how about distributing the .asc file and an
> inline signed checksum file?
The checksum file (*.sha256.asc) that is distributed by notmuch is
already inline-signed (please read my proposed verification step
upthread), so that part's done. (notmuch does *also* ship an unsigned
*.sha256 file, which i agree doesn't serve much purpose and could be
But you're right that we could distribute a detached signature over the
tarball in addition to the stronger mechanism. that way people who have
other defenses against rollback or version fixation attacks (or who
are willing to take the risk) can check the simpler, weaker mechanism.
David, how would you feel about generating two forms of cryptographic
signature per-tarball as an interim process?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 227 bytes
Desc: not available
More information about the notmuch