[arch-general] gpg source validation for kernel.org style signatures

Christian Hesse list at eworm.de
Mon Jan 5 09:16:10 UTC 2015


Daniel Micay <danielmicay at gmail.com> on Mon, 2015/01/05 04:01:
> On 04/01/15 05:03 PM, Doug Newgard wrote:
> > On Sun, 4 Jan 2015 22:05:21 +0100
> > Christian Hesse <list at eworm.de> wrote:
> > 
> >> Hello everybody,
> >>
> >> pacman 4.2.0 gained support for verifying source tarballs with
> >> kernel.org style signature. Some (even essential) packages could
> >> benefit from that, linux and git come to mind.
> >>
> >> How to handle this? Report a bug for every package? Provide a list
> >> here?
> > 
> > A lot of it is already happening:
> > https://www.archlinux.org/todo/validpgpkeys-integrity-check/
> > 
> > If you want it added to a package that isn't on that list, the bug
> > tracker is probably the best bet. Note that the linux package already
> > has it.
> > 
> > Doug
> 
> That rebuild is just to fix packages that were already using GPG
> signatures and need the fingerprint(s) added. There are a lot that could
> be using them and aren't yet. This could likely be automated to a large
> extent.
> 
> Using a script to detect if HTTPS works for fetching the sources along
> with checking for signature files by appending .asc and .sig seems like
> a promising plan.

I do not think we need HTTPS, though it does not hurt. If anybody tries to
fool us with man-in-the-middle via HTTP we should detect that just fine with
broken signatures (given signatures are provided...).

Appending .sign may help as well. In fact for an example file archive.tar.xz
we may want to check for {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign}

$ export FILE=archive.tar.xz
$ echo {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign}
archive.tar.xz.asc
archive.tar.xz.sig
archive.tar.xz.sign
archive.tar.asc
archive.tar.sig
archive.tar.sign
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150105/83c17c3f/attachment.bin>


More information about the arch-general mailing list