[arch-general] Proper use of signify in PKGBUILDs
Eli Schwartz
eschwartz at archlinux.org
Sun Jul 21 15:32:16 UTC 2019
On 7/21/19 4:11 AM, Stephen Gregoratto wrote:
> On 2019-07-21 02:42, Eli Schwartz via arch-general wrote:
>> How does renaming the file from SHA256.sig to SHA256 help you validate
>> the contents using signify?
>
> I rename it in the source array:
>
> "SHA256::${_mirrorurl}/${pkgver}/amd64/SHA256.sig"
I asked you "how is simply downloading the signify file as a makepkg
source useful, when makepkg won't use the signify file to
programmatically verify the downloaded openbsd-manpages source tarball".
You responded to the question: "Do you or do you not download this file,
and how do you prevent GnuPG from trying to erroneously read it".
(Since you've already stated this in the original post to arch-general,
I don't know why you need to repeat it again, but okay.)
If you want to continue talking right past what I say, it will be very
difficult for me to effectively carry on a conversation with the intent
of providing help and guidance on the "proper use of signify in PKGBUILDs".
> That way makepkg doesn't think it's a PGP signature. Note that the
> SHA256.sig file has the checksums embedded in the file, as the
> signature/additional comments are at the top and take up at most two
> lines.
I was very much able to download the file and look at it myself. Once
again, I do not see how that answers my question.
Also: it's essentially a non-detached GnuPG signature in that respect,
and files with the GnuPG signing data inline in the file itself, rather
than being properly detached, are just as troublesome as files in
strange and non-standard crypto tools.
makepkg cannot recognize a foo.tar.gz.gpg file for the same reason
actually nothing can: the internal tarball headers are obscured by an
OpenPGP packet section, and you need to fiddle with the files using
GnuPG first, and doing so will by default write to stdout (and is
anyways difficult to distinguish from detached signatures without the
actual file at all).
>> Moreover, what good do the checksums do you, when it's the files
>> themselves that you want to verify?
>
> Signify verifies the signature and then verifies the checksums of each
> file. While I could just use the sha256sums array, I prefer using
> signify as that is how the OpenBSD project distributes their files
> securely. Since these files can also be downloaded in the clear (FTP),
> verifying them becomes an absolute must.
Since this is apparently a very tough question to answer, maybe
rewording it will help: who is running signify? According to makepkg,
this is just "a source file".
You don't need to tell me about the importance of verifying files
downloaded over FTP. This is not a philosophy class and no one disputed
the importance of this, so let's just assume we're all on the same page
and get back to the thread topic: "successfully using signify in a
PKGBUILD".
That being the topic, would you like to clarify how your proposed model
for executing the `signify` utility within a makepkg operation would
work? Because to be honest, that's the only thing I've been asking about.
>> The latter problem is why I'm incredibly frustrated by projects that use
>> PGP, too -- when the only thing they sign is a file containing checksums,
>> and not the actual source file.
>
> I'm not sure what the problem is here, isn't validating the signature
> and checksums not good enough?
Validating the signature of a file containing checksums, and *not*
validating the checksums, is exactly what isn't "good enough". makepkg
has no way to assert that the checksums in a "SHA256" file match the
sha256sums=() array. If I'm going to copy the upstream project's
sha256sums, downloading the file I copied them from doesn't provide
additional security.
--
Eli Schwartz
Bug Wrangler and Trusted User
More information about the arch-general
mailing list