[arch-general] Stronger Hashes for PKGBUILDs

Bruno Pagani bruno.pagani at ens-lyon.org
Sun Dec 11 12:20:05 UTC 2016


Le 10/12/2016 à 00:30, Leonid Isaev a écrit :

> On Fri, Dec 09, 2016 at 03:15:34PM +0100, Bruno Pagani wrote:
>> Le 08/12/2016 à 01:57, Leonid Isaev a écrit :
>>
>>> On Thu, Dec 08, 2016 at 10:34:59AM +1000, Allan McRae wrote:
>>>> On 08/12/16 08:51, sivmu wrote:
>>>>> Am 07.12.2016 um 10:49 schrieb Allan McRae:
>>>>>>> ...
>>>>>>> I advocate keeping md5sum as the default because it is broken.  If I see
>>>>>>> someone purely verifying their sources using md5sum in a PKGBUILD (and
>>>>>>> not pgp signature), I know that they have done nothing to actually
>>>>>>> verify the source themselves.
>>>>>>> ...
>>>>> That is a very dangerous assumtion. I know for a fact that many
>>>>> maintainers used md5 for verification because it is the default.
>>>>> There are/were maintainers that downloaded the source, verified the pgp
>>>>> signature and generated the md5 checksum to include it in the PKGBUILD
>>>>> (without the pgp signature)
>>>> Idiots...  so again using md5sums as the default saves me from people
>>>> who don't know how to package.
>>> Actually, this might not be so crazy. Sometimes you get a signed sha*sums file
>>> instead of signed source, so you don't include the key in validpgpkeys array.
>>> For example, when building Firefox, I have to manually verify the sig on
>>> SHA512SUMS and then paste the sha512sum into PKGBUILD. But this is because I'm
>>> paranoid... I guess one can simply do makepkg -g, hmm.
>>>
>>> Hence the question, why have this flag at all? And should it be possible to
>>> specify an external (signed) hash-file in PKGBUILD?
>>>
>>> Thx,
>>> L.
>> What is wrong with adding the sha*sum file and its signature in the
>> source array and then use validpgpkeys?
> And then what?

Then makepkg would check the sigs on the sha*sum file, and you could
either grep the sum from this file to use it in the PKGBUILD
automatically (which is done in firefox-nightly-fr, probably not
optimally now that I thought about it) or have a function to later
verify the sum (don’t like that way, but it’s done in firefox-nightly
for instance), or copy it by hand if it is for a stable package (which
seems to be your use case). The goal here being that other people using
the PKGBUILD get the same GPG verification.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161211/299555f2/attachment.asc>


More information about the arch-general mailing list