Release signatures

classic Classic list List threaded Threaded
4 messages Options
Adam Majer Adam Majer
Reply | Threaded
Open this post in threaded view
|

Release signatures

Hello,

The releases are signed in a funny way. The .asc file are not detached
signatures of the checksum, but actually contain it inside the .asc file.

# gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc
...
gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072
gpg: WARNING: not a detached signature; file
'notmuch-0.28.1.tar.gz.sha256' was NOT verified!

A much better way of signing this would have been as a detached
signature of the tarball itself. Why sign a hash of a hash? ;)


# gpg --detach --sign notmuch-0.28.1.tar.gz
-> notmuch-0.28.1.tar.gz.sig

Then you can verify this is a properly signed binary,

# gpg -v --verify notmuch-0.28.1.tar.gz.sig
gpg: assuming signed data in 'notmuch-0.28.1.tar.gz'
gpg: Signature made Wed 06 Feb 2019 11:37:19 AM CET
gpg:                using RSA key 4BE7C1D3CC65813AF349D42F864508B01B2679CF
gpg: using subkey 864508B01B2679CF instead of primary key E523F220AC8DFBD0
...
gpg: binary signature, digest algorithm SHA512, key algorithm rsa3904

The digest algorithm is from the key preferences, which you can change.
You can also specify it as --digest-algo option, if you prefer.

Best regards,
- Adam

PS. I'm not on the list. Please cc me if you would like any response ;)
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
David Bremner-2 David Bremner-2
Reply | Threaded
Open this post in threaded view
|

Re: Release signatures

Adam Majer <[hidden email]> writes:

> Hello,
>
> The releases are signed in a funny way. The .asc file are not detached
> signatures of the checksum, but actually contain it inside the .asc file.
>
> # gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc
> ...
> gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072
> gpg: WARNING: not a detached signature; file
> 'notmuch-0.28.1.tar.gz.sha256' was NOT verified!
>
> A much better way of signing this would have been as a detached
> signature of the tarball itself. Why sign a hash of a hash? ;)

I'm not sure why Carl did it that way 10 years ago. Perhaps Carl
remembers?  Offhand, I don't see any reason not to go with a more
standard detached signature, other than it needs someone to do the
relevant work.

d
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
Carl Worth-2 Carl Worth-2
Reply | Threaded
Open this post in threaded view
|

Re: Release signatures

On Sun, Feb 10 2019, David Bremner wrote:

> Adam Majer <[hidden email]> writes:
>> The releases are signed in a funny way. The .asc file are not detached
>> signatures of the checksum, but actually contain it inside the .asc file.
>>
>> # gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc
>> ...
>> gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072
>> gpg: WARNING: not a detached signature; file
>> 'notmuch-0.28.1.tar.gz.sha256' was NOT verified!
>>
>> A much better way of signing this would have been as a detached
>> signature of the tarball itself. Why sign a hash of a hash? ;)
>
> I'm not sure why Carl did it that way 10 years ago. Perhaps Carl
> remembers?  Offhand, I don't see any reason not to go with a more
> standard detached signature, other than it needs someone to do the
> relevant work.
If I did something non-standard here it certainly wasn't intentional.

I certainly would not oppose moving to a more standard (and obvious to
us) means of signing the releases.

-Carl

_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch

signature.asc (847 bytes) Download Attachment
David Bremner-2 David Bremner-2
Reply | Threaded
Open this post in threaded view
|

[PATCH] build: sign tarball instead of sha256sum

Adam Majer pointed out in [1] the way were signing releases was
unusual. Neither Carl nor I could think of a good reason for
explicitely signing the checksum (internally of course that's what GPG
is going anyway).

[1] mid:[hidden email]
---

I think this does the trick, although the release stuff is always a
bit tricky to test.

 Makefile.global | 2 +-
 Makefile.local  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile.global b/Makefile.global
index cae4c7d1..6e17494a 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -44,7 +44,7 @@ TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
 ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
 DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
 SHA256_FILE=$(TAR_FILE).sha256
-GPG_FILE=$(SHA256_FILE).asc
+GPG_FILE=$(TAR_FILE).asc
 
 PV_FILE=bindings/python/notmuch/version.py
 
diff --git a/Makefile.local b/Makefile.local
index 82145e1b..01ba49cc 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -42,8 +42,8 @@ $(TAR_FILE):
 $(SHA256_FILE): $(TAR_FILE)
  sha256sum $^ > $@
 
-$(GPG_FILE): $(SHA256_FILE)
- gpg --armor --sign $^
+$(GPG_FILE): $(TAR_FILE)
+ gpg --armor --detach-sign $^
 
 .PHONY: dist
 dist: $(TAR_FILE)
--
2.20.1

_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch