[PATCH] build: sign tarball instead of sha256sum
amajer at suse.de
Fri Mar 15 04:35:55 PDT 2019
On 3/15/19 9:58 AM, Daniel Kahn Gillmor wrote:
> On Fri 2019-03-15 02:53:28 +0100, Adam Majer wrote:
>> adding explicit checks would add an extra BuildRequires in the build
>> process to pull in gpg, which is excessive.
> It shouldn't require gpg; it should only pull in gpgv, which is already
> on the base system, no? And once the "small file" is checked, it would
> then require sha256sum (or the equivalent) to verify the tarball itself;
> on any modern system, that's likely to be available anyway
> (e.g. coreutils' sha256sum or "openssl dgst" or whatever).
# osc chroot
running: sudo chroot /var/tmp/build-root/openSUSE_Tumbleweed-x86_64 su -
-bash: gpgv: command not found
With openSUSE, the closest thing to a base system for building would be
in this log,
Since this is just a dependency package, it has no BuildRequires. The
base system is just what is needed to run rpm, rpmlint, etc. so 122
packages. No gpgv or gpg or python or ruby. Only gcc, perl, rpm.
>> Instead of reverting, how about distributing the .asc file and an
>> inline signed checksum file?
> The checksum file (*.sha256.asc) that is distributed by notmuch is
> already inline-signed (please read my proposed verification step
> upthread), so that part's done. (notmuch does *also* ship an unsigned
> *.sha256 file, which i agree doesn't serve much purpose and could be
Sorry, I meant clear signed and inline. The checksum file could just be
*.sha256 and be itself clear signed. Then people see as a checksum file
and when they look inside, they see it as signed. There is no reason to
have the checksum file encoded.
The (my?) expectation is that a *.asc file is a detached signature.
That's why GPG is warning when it is not a detached signature. But I can
live with .sha256.asc if there is no .sha256 ;)
More information about the notmuch