[pacman-dev] [PATCH] makepkg: sums: Add FILE and SIGNED-MSG modes

Fri Nov 6 12:59:32 UTC 2015

On 11/06/15 06:12, Allan McRae wrote:
> On 06/11/15 04:48, Olivier Brunel wrote:
>> Verifying PGP signatures was only done by expecting them to be detached
>> signature of the source code, which is the case on many occasions.
>> However, some upstreams actually do things a bit differently, specifically there
>> are two other main ways things can be done:
>>
>> - a checksum file is provided, as well as a detached signature of that file. For
>>   such cases, this adds a special mode (alongside SKIP) to the sums array: FILE
>>   In that case, for filename.ext a file filename.ext.$ALGO is expected to be a
>>   standard checksum file - i.e. contain at least a line with the hash, spaces,
>>   then the filename - and the hash used will be the one from that file.
>>   Obviously this should be used when a detached signature of the file is
>>   provided, which will be treated by makepkg just as usual.
>>   An example package could be firefox.
>>
>> - a checksum file is provided as a signed message. For such cases, this adds a
>>   mode SIGNED-MSG, as it expects a file filename.ext.$ALGO.signed-msg to be the
>>   signed message. Upon hash checking, it will "extract" said message from the
>>   file via gpg, then use it much like in the FILE case.
>>   And during PGP signature checking, *.signed-msg files are verified as signed
>>   messages instead of detached signatures.
>>   An example package could be harfbuzz.
>>
>> Note that this doesn't change generation (--geninteg) since it can't be done
>> automatically.
>>
>> Signed-off-by: Olivier Brunel <jjk at jjacky.com>
> 
> I am going to canvas on opinions for this.
> 
> My opinion is that this should not be included in makepkg because of
> there being no standard on the format of any of these files.  You have
> used the output of coreutils hashing tools, but upstreams could use
> openssl, or anything else.  If we support one, we need to support them all.

Well, I don't know... One could say the same about PGP signatures, if
one is supported, all must be. Clearly it isn't the case as of now :p
The format from coreutils tools is the only one I've seen used in
upstreams, not that it means anything, except at least that it is a
common one.

As you said, there are no rules/standard for what upstream will do or
format they'll use, but this one is known (in fact I believe openssl has
an option to generate output in that format), and seems to be the
commonly used format; and supporting it allows to support more PGP
signature checking.

> Also, the packager needs to download the checksum files and their
> signatures to verify the source while packaging.  Putting the has in the
> PKGBUILD prevents everyone else doing this.  It also prevents upstream
> changing the released source (it happens...), and hash files and no-one
> noticing.

Sorry, I don't understand what you mean by this:
Putting the hash in the PKGBUILD prevents everyone else doing this

Could you explain/rephrase please? I don't get what gets prevented.

As for upstream changing/"repackaging" a release, if that's something
you want to prevent, it can be done simply by adding another sums array.
E.g. one could use the sha256sums with SIGNED-MSG/FILE to check the hash
& signature from upstream, and the sha1sums (from the packager, i.e.
with actual hashes) to ensure things don't silently change from upstream
since original packaging.

> 
> Allan
> 