tarball signing

Harald Sitter sitter at kde.org
Thu Jun 2 11:53:46 UTC 2016


At last weekends' Munich sprint, Jonathan and I discussed the
possibility of detached-signing our tarballs. Right now people have to
go to some website, get checksums, and then verify the downloaded
tarballs matches the checksums.
This is not only terrible because it involves humans doing things, it
is also terrible as there is no way to tell whether or not the data on
the website is even authoritative, in particular for extragear where
this information might not even be under https certification and even
if it was who's to say the webserver hasn't been compromised.
Add that our tarball mirrors are often distributing over http or ftp
and getting an authoritative tarball is more luck than consistent

And that is why we should sign our tarballs and we agreed to start
doing that soonishy for Plasma tarballs (or rather: releasme in
general) and would like to encourage everyone to build appropriate GPG
signing tech into their release scripts. At the very least frameworks
and apps would be beneficial to cover with signatures.
It allows us to easily verify file integrity as well as file
trustworthyness as either of the two not adding up would result in a
verification failure.

So how's that work?
Relevant starting documentation can be found at [1]

I would for example run
$ gpg2 --digest-algo SHA512 --armor --detach-sign -o
phonon-4.9.0.tar.xz.sig -s phonon-4.9.0.tar.xz

This generates a .sig file for the phonon 4.9 tarball.

Which I can then verify
$ gpg2 -q --verify -q phonon-4.9.0.tar.xz.sig phonon-4.9.0.tar.xz; echo $?
gpg: Signature made Don 02 Jun 2016 13:34:35 CEST using DSA key ID 72F23991
gpg: Good signature from "Harald Sitter <apachelogger at ubuntu.com>" [ultimate]

Now then. In the grand scheme of things we'd only ship tarballs with a
relevant sig in the same directory. A consumer of our tarballs (e.g. a
linux distribution) would grab our tarball *and* the sig and ensure
that the sig is an authoritatively trusted key (e.g. part of a keyring
with trusted keys).
If the verification succeeds the tarball is good to be used, if not
human intervention is required to investigate.

[1] https://www.gnupg.org/gph/en/manual/x135.html


More information about the release-team mailing list