tarball signing

Albert Astals Cid aacid at kde.org
Fri Jun 3 14:02:43 UTC 2016

El dijous, 2 de juny de 2016, a les 13:53:46 CEST, Harald Sitter va escriure:
> Ahoy
> At last weekends' Munich sprint, Jonathan and I discussed the
> possibility of detached-signing our tarballs. Right now people have to
> go to some website, get checksums, and then verify the downloaded
> tarballs matches the checksums.
> This is not only terrible because it involves humans doing things, it
> is also terrible as there is no way to tell whether or not the data on
> the website is even authoritative, in particular for extragear where
> this information might not even be under https certification and even
> if it was who's to say the webserver hasn't been compromised.
> Add that our tarball mirrors are often distributing over http or ftp
> and getting an authoritative tarball is more luck than consistent
> checks.
> And that is why we should sign our tarballs and we agreed to start
> doing that soonishy for Plasma tarballs (or rather: releasme in
> general) and would like to encourage everyone to build appropriate GPG
> signing tech into their release scripts. At the very least frameworks
> and apps would be beneficial to cover with signatures.
> It allows us to easily verify file integrity as well as file
> trustworthyness as either of the two not adding up would result in a
> verification failure.
> So how's that work?
> Relevant starting documentation can be found at [1]
> I would for example run
> $ gpg2 --digest-algo SHA512 --armor --detach-sign -o
> phonon-4.9.0.tar.xz.sig -s phonon-4.9.0.tar.xz
> This generates a .sig file for the phonon 4.9 tarball.
> Which I can then verify
> $ gpg2 -q --verify -q phonon-4.9.0.tar.xz.sig phonon-4.9.0.tar.xz; echo $?
> gpg: Signature made Don 02 Jun 2016 13:34:35 CEST using DSA key ID 72F23991
> gpg: Good signature from "Harald Sitter <apachelogger at ubuntu.com>"
> [ultimate]
> Now then. In the grand scheme of things we'd only ship tarballs with a
> relevant sig in the same directory. A consumer of our tarballs (e.g. a
> linux distribution) would grab our tarball *and* the sig and ensure
> that the sig is an authoritatively trusted key (e.g. part of a keyring
> with trusted keys).
> If the verification succeeds the tarball is good to be used, if not
> human intervention is required to investigate.

Does that really fix anything if noone has my gpg key in the trusted/validated 
signatures area? How do they know it's me that signed the package and not some 
hacker that got access to the server and did sign the tarballs?


> [1] https://www.gnupg.org/gph/en/manual/x135.html
> HS
> _______________________________________________
> release-team mailing list
> release-team at kde.org
> https://mail.kde.org/mailman/listinfo/release-team

More information about the release-team mailing list