[PATCH] build: sign tarball instead of sha256sum

[Adam Majer]

On 3/15/19 2:37 PM, Daniel Kahn Gillmor wrote:
> On Fri 2019-03-15 12:35:55 +0100, Adam Majer wrote:
>> # osc chroot
>> running: sudo chroot /var/tmp/build-root/openSUSE_Tumbleweed-x86_64 su -
>> abuild
>> # gpgv
>> -bash: gpgv: command not found
> 
> That's surprising to me, but i'm ignorant about SUSE so you shouldn't be
> surprised at my surprise :P
> 
> How does this system cryptographically verify its software updates?  or
> is it never updated? or updated "from the outside" or something?

There is a different service that checks for signatures and keyring 
files that come with a package. This happens at checkin phase or at some 
review phase (some automated review bot would then verify signature too 
before allowing to accept it into more important project). Of course, 
one could just not have any signature then it would just be skipped. The 
builds don't check this as once checked in, integrity is handled by OBS 
and most packages are not signed :( But when you checkout a package, you 
can at least verify things.

OBS has backend called `signer`[2] that is responsible for signing RPMs 
and repository files (used by zypper, which is like apt) with a project 
specific key (you can configure your own key per project). The nice 
thing about OBS is that anyone can fork any project and add/update a 
package, make an image, and use that. Or pick software from various 
projects and OBS will rebuild things if build dependencies change. It 
builds Debian packages too [1], Fedora, whatever, although mostly it's 
used for SUSE/openSUSE projects. This is actually how SUSE makes 
products based on other products and things remain consistent.

The weakest points of all these verifications are the upstreams. Many 
have no signatures at all. Clearly, notmuch is not the example here :D

- Adam

[1] https://build.opensuse.org/package/show/home:adamm/Nudoku
[2] https://build.opensuse.org/monitor