[PATCH] build: distribute signed sha256sums

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Mar 23 04:21:18 PDT 2019 

Distribute clearsigned sha256sum file instead of a detached signature.

This ensures that the thing signed includes the name of the tarball,
which defends the verifier by default against a freeze, rollback, or
project substitution attack.

A verifier can use something like the following (as expressed in
bash):

      set -o pipefail
      wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc}
      gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c -

See id:87r2b8w956.fsf at fifthhorseman.net and other messages in that
thread for discussion.

Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
---
 Makefile.global |  3 +--
 Makefile.local  | 13 +++++--------
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/Makefile.global b/Makefile.global
index 6e17494a..11fd0cee 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,8 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases
 TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
 ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
 DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA256_FILE=$(TAR_FILE).sha256
-GPG_FILE=$(TAR_FILE).asc
+GPG_FILE=$(TAR_FILE).sha256.asc
 
 PV_FILE=bindings/python/notmuch/version.py
 
diff --git a/Makefile.local b/Makefile.local
index 01ba49cc..48ef40e4 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -39,11 +39,8 @@ $(TAR_FILE):
 	gzip -n < $(TAR_FILE).tmp > $(TAR_FILE)
 	@echo "Source is ready for release in $(TAR_FILE)"
 
-$(SHA256_FILE): $(TAR_FILE)
-	sha256sum $^ > $@
-
 $(GPG_FILE): $(TAR_FILE)
-	gpg --armor --detach-sign $^
+	sha256sum $(TAR_FILE) | gpg --clear-sign --output $@ -
 
 .PHONY: dist
 dist: $(TAR_FILE)
@@ -73,11 +70,11 @@ release: verify-source-tree-and-version
 	pristine-tar commit $(DEB_TAR_FILE) $(UPSTREAM_TAG)
 	git tag -s -m "$(PACKAGE) Debian $(VERSION)-1 upload (same as $(VERSION))" $(DEB_TAG)
 	mkdir -p releases
-	mv $(TAR_FILE) $(SHA256_FILE) $(GPG_FILE) releases
+	mv $(TAR_FILE) $(GPG_FILE) releases
 	$(MAKE) VERSION=$(VERSION) release-message > $(PACKAGE)-$(VERSION).announce
 ifeq ($(REALLY_UPLOAD),yes)
 	git push origin $(VERSION) $(DEB_TAG) release pristine-tar
-	cd releases && scp $(TAR_FILE) $(SHA256_FILE) $(GPG_FILE) $(RELEASE_HOST):$(RELEASE_DIR)
+	cd releases && scp $(TAR_FILE) $(GPG_FILE) $(RELEASE_HOST):$(RELEASE_DIR)
 	ssh $(RELEASE_HOST) "rm -f $(RELEASE_DIR)/LATEST-$(PACKAGE)-* ; ln -s $(TAR_FILE) $(RELEASE_DIR)/LATEST-$(TAR_FILE)"
 endif
 	@echo "Please send a release announcement using $(PACKAGE)-$(VERSION).announce as a template."
@@ -117,9 +114,9 @@ release-message:
 	@echo ""
 	@echo "Which can be verified with:"
 	@echo ""
-	@echo "  $(RELEASE_URL)/$(SHA256_FILE)"
+	@echo "  $(RELEASE_URL)/$(GPG_FILE)"
 	@echo -n "  "
-	@cat releases/$(SHA256_FILE)
+	@cat releases/$(GPG_FILE)
 	@echo ""
 	@echo "  $(RELEASE_URL)/$(GPG_FILE)"
 	@echo "  (signed by `getent passwd "$$USER" | cut -d: -f 5 | cut -d, -f 1`)"
-- 
2.20.1

More information about the notmuch mailing list