Distribute clearsigned sha256sum file instead of a detached signature. This ensures that the thing signed includes the name of the tarball, which defends the verifier by default against a freeze, rollback, or project substitution attack. A verifier can use something like the following (as expressed in bash): set -o pipefail wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc} gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c - See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that thread for discussion. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- Makefile.global | 3 +-- Makefile.local | 13 +++++-------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/Makefile.global b/Makefile.global index 6e17494a..11fd0cee 100644 --- a/Makefile.global +++ b/Makefile.global @@ -43,8 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz -SHA256_FILE=$(TAR_FILE).sha256 -GPG_FILE=$(TAR_FILE).asc +GPG_FILE=$(TAR_FILE).sha256.asc PV_FILE=bindings/python/notmuch/version.py diff --git a/Makefile.local b/Makefile.local index 01ba49cc..48ef40e4 100644 --- a/Makefile.local +++ b/Makefile.local @@ -39,11 +39,8 @@ $(TAR_FILE): gzip -n < $(TAR_FILE).tmp > $(TAR_FILE) @echo "Source is ready for release in $(TAR_FILE)" -$(SHA256_FILE): $(TAR_FILE) - sha256sum $^ > $@ - $(GPG_FILE): $(TAR_FILE) - gpg --armor --detach-sign $^ + sha256sum $(TAR_FILE) | gpg --clear-sign --output $@ - .PHONY: dist dist: $(TAR_FILE) @@ -73,11 +70,11 @@ release: verify-source-tree-and-version pristine-tar commit $(DEB_TAR_FILE) $(UPSTREAM_TAG) git tag -s -m "$(PACKAGE) Debian $(VERSION)-1 upload (same as $(VERSION))" $(DEB_TAG) mkdir -p releases - mv $(TAR_FILE) $(SHA256_FILE) $(GPG_FILE) releases + mv $(TAR_FILE) $(GPG_FILE) releases $(MAKE) VERSION=$(VERSION) release-message > $(PACKAGE)-$(VERSION).announce ifeq ($(REALLY_UPLOAD),yes) git push origin $(VERSION) $(DEB_TAG) release pristine-tar - cd releases && scp $(TAR_FILE) $(SHA256_FILE) $(GPG_FILE) $(RELEASE_HOST):$(RELEASE_DIR) + cd releases && scp $(TAR_FILE) $(GPG_FILE) $(RELEASE_HOST):$(RELEASE_DIR) ssh $(RELEASE_HOST) "rm -f $(RELEASE_DIR)/LATEST-$(PACKAGE)-* ; ln -s $(TAR_FILE) $(RELEASE_DIR)/LATEST-$(TAR_FILE)" endif @echo "Please send a release announcement using $(PACKAGE)-$(VERSION).announce as a template." @@ -117,9 +114,9 @@ release-message: @echo "" @echo "Which can be verified with:" @echo "" - @echo " $(RELEASE_URL)/$(SHA256_FILE)" + @echo " $(RELEASE_URL)/$(GPG_FILE)" @echo -n " " - @cat releases/$(SHA256_FILE) + @cat releases/$(GPG_FILE) @echo "" @echo " $(RELEASE_URL)/$(GPG_FILE)" @echo " (signed by `getent passwd "$$USER" | cut -d: -f 5 | cut -d, -f 1`)" -- 2.20.1 _______________________________________________ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch