Re: [PATCH] build: sign tarball instead of sha256sum

Subject: Re: [PATCH] build: sign tarball instead of sha256sum

Date: Fri, 15 Mar 2019 11:35:46 -0400

To: David Bremner, Adam Majer, Carl Worth,


From: Daniel Kahn Gillmor

On Fri 2019-03-15 10:50:34 -0300, David Bremner wrote:
> Adam Majer <> writes:
>> The (my?) expectation is that a *.asc file is a detached signature. 
>> That's why GPG is warning when it is not a detached signature. But I can 
>> live with .sha256.asc if there is no .sha256 ;)
> Right, aren't detached signatures preferred in general? Or am I
> misremembering some gpg folklore?

Detached signatures are recommended for several reasons:

 * They can handle non-textual data
 * They are not confused by varying character sets/encodings of textual

 * They clearly demarcate what is being signed (text documents with
   inline signatures can include arbitrary cruft before the signed text,
   or after the signature)

 * gpg (and gpgv)'s API has traditionally been ambiguous about what it
   means to say "gpg --verify foo.asc" depending on whether foo (without
   the ".asc") exists.  This API "shortcut" has a nasty failure mode,
   because an attacker can ship you an arbitrary "foo" and an
   inline-signed document as "foo.asc".  in that case, you might be
   surprised to find that while the signature verifies, it has nothing
   to do with "foo".

I don't think these situations are relevant for the case of a signed
sha256sum file verified in a sensible way:

 * we're dealing with textual data, guaranteed to be US-ASCII.
   Verifiers can explicitly make that assumption.

 * Modern versions of gpg (and gpgv) have an --output argument when
   validating a signature, making it much easier to see what
   specifically was signed, and avoiding any ambiguity about weird
   "foo.asc + unrelated foo" use cases (see my use of --output in the
   pipeline example upthread)

Detached signatures have the additional disadvantage of having to
juggle/coordinate more files when publishing or retrieving a new

For the sake of shipping fewer files with each release, i think it makes
sense to use a clearsigned *.sha256.asc.

signature.asc (application/pgp-signature)
notmuch mailing list