[arch-general] gpg source validation for kernel.org style signatures
Hello everybody, pacman 4.2.0 gained support for verifying source tarballs with kernel.org style signature. Some (even essential) packages could benefit from that, linux and git come to mind. How to handle this? Report a bug for every package? Provide a list here? -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
On Sun, 4 Jan 2015 22:05:21 +0100 Christian Hesse <list@eworm.de> wrote:
Hello everybody,
pacman 4.2.0 gained support for verifying source tarballs with kernel.org style signature. Some (even essential) packages could benefit from that, linux and git come to mind.
How to handle this? Report a bug for every package? Provide a list here?
A lot of it is already happening: https://www.archlinux.org/todo/validpgpkeys-integrity-check/ If you want it added to a package that isn't on that list, the bug tracker is probably the best bet. Note that the linux package already has it. Doug
Doug Newgard <scimmia@archlinux.info> on Sun, 2015/01/04 16:03:
On Sun, 4 Jan 2015 22:05:21 +0100 Christian Hesse <list@eworm.de> wrote:
Hello everybody,
pacman 4.2.0 gained support for verifying source tarballs with kernel.org style signature. Some (even essential) packages could benefit from that, linux and git come to mind.
How to handle this? Report a bug for every package? Provide a list here?
A lot of it is already happening: https://www.archlinux.org/todo/validpgpkeys-integrity-check/
This is about validpgpkeys array. Glad to see this happen, but it is not what I was speaking about: If the tar archive (instead of the compressed archive) was signed pacman < 4.2.0 could not check. That is why you can not find these with grep.
If you want it added to a package that isn't on that list, the bug tracker is probably the best bet. Note that the linux package already has it.
Ah, I can see it on the website, but abs did not yet sync it. Thanks! -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
On 04/01/15 05:03 PM, Doug Newgard wrote:
On Sun, 4 Jan 2015 22:05:21 +0100 Christian Hesse <list@eworm.de> wrote:
Hello everybody,
pacman 4.2.0 gained support for verifying source tarballs with kernel.org style signature. Some (even essential) packages could benefit from that, linux and git come to mind.
How to handle this? Report a bug for every package? Provide a list here?
A lot of it is already happening: https://www.archlinux.org/todo/validpgpkeys-integrity-check/
If you want it added to a package that isn't on that list, the bug tracker is probably the best bet. Note that the linux package already has it.
Doug
That rebuild is just to fix packages that were already using GPG signatures and need the fingerprint(s) added. There are a lot that could be using them and aren't yet. This could likely be automated to a large extent. Using a script to detect if HTTPS works for fetching the sources along with checking for signature files by appending .asc and .sig seems like a promising plan.
Daniel Micay <danielmicay@gmail.com> on Mon, 2015/01/05 04:01:
On 04/01/15 05:03 PM, Doug Newgard wrote:
On Sun, 4 Jan 2015 22:05:21 +0100 Christian Hesse <list@eworm.de> wrote:
Hello everybody,
pacman 4.2.0 gained support for verifying source tarballs with kernel.org style signature. Some (even essential) packages could benefit from that, linux and git come to mind.
How to handle this? Report a bug for every package? Provide a list here?
A lot of it is already happening: https://www.archlinux.org/todo/validpgpkeys-integrity-check/
If you want it added to a package that isn't on that list, the bug tracker is probably the best bet. Note that the linux package already has it.
Doug
That rebuild is just to fix packages that were already using GPG signatures and need the fingerprint(s) added. There are a lot that could be using them and aren't yet. This could likely be automated to a large extent.
Using a script to detect if HTTPS works for fetching the sources along with checking for signature files by appending .asc and .sig seems like a promising plan.
I do not think we need HTTPS, though it does not hurt. If anybody tries to fool us with man-in-the-middle via HTTP we should detect that just fine with broken signatures (given signatures are provided...). Appending .sign may help as well. In fact for an example file archive.tar.xz we may want to check for {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign} $ export FILE=archive.tar.xz $ echo {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign} archive.tar.xz.asc archive.tar.xz.sig archive.tar.xz.sign archive.tar.asc archive.tar.sig archive.tar.sign -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
I do not think we need HTTPS, though it does not hurt. If anybody tries to fool us with man-in-the-middle via HTTP we should detect that just fine with broken signatures (given signatures are provided...).
Well, I mean when no signatures are available. It's not really that common for upstream to sign the packages :(. HTTPS is pretty common though, especially considering all of the projects hosted on sites like github.
On Mon, Jan 05, 2015 at 10:16:10AM +0100, Christian Hesse wrote:
I do not think we need HTTPS, though it does not hurt. If anybody tries to fool us with man-in-the-middle via HTTP we should detect that just fine with broken signatures (given signatures are provided...).
Appending .sign may help as well. In fact for an example file archive.tar.xz we may want to check for {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign}
$ export FILE=archive.tar.xz $ echo {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign} archive.tar.xz.asc archive.tar.xz.sig archive.tar.xz.sign archive.tar.asc archive.tar.sig archive.tar.sign
Does makepkg(8) know how to check sigs of .tar files as opposed to .tar.xz? Cheers, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
On 05/01/15 12:28 PM, Leonid Isaev wrote:
On Mon, Jan 05, 2015 at 10:16:10AM +0100, Christian Hesse wrote:
I do not think we need HTTPS, though it does not hurt. If anybody tries to fool us with man-in-the-middle via HTTP we should detect that just fine with broken signatures (given signatures are provided...).
Appending .sign may help as well. In fact for an example file archive.tar.xz we may want to check for {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign}
$ export FILE=archive.tar.xz $ echo {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign} archive.tar.xz.asc archive.tar.xz.sig archive.tar.xz.sign archive.tar.asc archive.tar.sig archive.tar.sign
Does makepkg(8) know how to check sigs of .tar files as opposed to .tar.xz?
Yes, it learned how to do that in the most recent release.
On 04/01/15 04:05 PM, Christian Hesse wrote:
Hello everybody,
pacman 4.2.0 gained support for verifying source tarballs with kernel.org style signature. Some (even essential) packages could benefit from that, linux and git come to mind.
How to handle this? Report a bug for every package? Provide a list here?
I would create a wiki page with the list and then see if you can find a developer interested in mass-adding the missing signatures. I'd be interested in helping with it for [community], but you'll likely be able to do it yourself soon ;). Note that you should check svn rather than abs because theres usually no rebuild for something like this. The linux{-lts,-grsec} packages are using the new feature now. I expect that this can be automated to a large extent. Looking for files with .asc / .sig extensions doesn't need to be done by hand. It also makes sense to figure out which packages can use HTTPS to fetch sources since that's a lot better than nothing if no signatures are available.
On Mon, Jan 05, 2015 at 04:09:50AM -0500, Daniel Micay wrote:
On 04/01/15 04:05 PM, Christian Hesse wrote:
Hello everybody,
pacman 4.2.0 gained support for verifying source tarballs with kernel.org style signature. Some (even essential) packages could benefit from that, linux and git come to mind.
How to handle this? Report a bug for every package? Provide a list here?
I would create a wiki page with the list and then see if you can find a developer interested in mass-adding the missing signatures. I'd be interested in helping with it for [community], but you'll likely be able to do it yourself soon ;).
In the TODO list mentioned in this thread, community/exim is absent, even though its releases are signed (see e.g. this announcement https://lists.exim.org/lurker/message/20140811.135006.dc48cddf.en.html ). Cheers, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
On 05/01/2015 10:09, Daniel Micay wrote:
On 04/01/15 04:05 PM, Christian Hesse wrote: I would create a wiki page with the list and then see if you can find a developer interested in mass-adding the missing signatures. I'd be interested in helping with it for [community], but you'll likely be able to do it yourself soon ;). You don't really need to find a developer, create a TODO is the common way to manage this, like you do with validpgpkeys.
Btw, mass PKGBUILD editing in svn is generally frowned upon. Cheers, -- Sébastien "Seblu" Luttringer Archlinux Developer https://seblu.net | Twitter: @seblu42 GPG: 0x2072D77A
participants (5)
-
Christian Hesse
-
Daniel Micay
-
Doug Newgard
-
Leonid Isaev
-
Sébastien Luttringer