Re: [PATCH] build: sign tarball instead of sha256sum

Subject: Re: [PATCH] build: sign tarball instead of sha256sum

Date: Fri, 15 Mar 2019 04:58:32 -0400

To: Adam Majer, David Bremner, Carl Worth,


From: Daniel Kahn Gillmor

On Fri 2019-03-15 02:53:28 +0100, Adam Majer wrote:
> adding explicit checks would add an extra BuildRequires in the build
> process to pull in gpg, which is excessive.

It shouldn't require gpg; it should only pull in gpgv, which is already
on the base system, no?  And once the "small file" is checked, it would
then require sha256sum (or the equivalent) to verify the tarball itself;
on any modern system, that's likely to be available anyway
(e.g. coreutils' sha256sum  or "openssl dgst" or whatever).

> Instead of reverting, how about distributing the .asc file and an
> inline signed checksum file?

The checksum file (*.sha256.asc) that is distributed by notmuch is
already inline-signed (please read my proposed verification step
upthread), so that part's done.  (notmuch does *also* ship an unsigned
*.sha256 file, which i agree doesn't serve much purpose and could be

But you're right that we could distribute a detached signature over the
tarball in addition to the stronger mechanism.  that way people who have
other defenses against rollback or version fixation attacks  (or who
are willing to take the risk) can check the simpler, weaker mechanism.

David, how would you feel about generating two forms of cryptographic
signature per-tarball as an interim process?

signature.asc (application/pgp-signature)
notmuch mailing list