oss-sec mailing list archives
Re: upstream source code authenticity checking
From: Jeremy Stanley <fungi () yuggoth org>
Date: Sun, 21 Apr 2013 22:13:08 +0000
On 2013-04-21 10:05:53 -0700 (-0700), Alan Coopersmith wrote: [...]
If there was a common standard, with instructions, we'd be far more likely to spend the time to adopt it, than just a "make signatures appear somewhere, in an unspecified format".
For my own software I've been providing detached signatures of every release tarball, along the lines of: gpg --armor --detach-sign --output foo-1.2.3.xz.pgp foo-1.2.3.xz Then I document that users should verify downloads with my key (after obtaining it from a reputable keyserver): gpg --verify foo-1.2.3.xz.pgp foo-1.2.3.xz I also dump sha512sum and md5sum lists of all the release tarballs to a checksum file and sign that in the same way, for completeness. Of course this doesn't stop a new user from being hoodwinked if an attacker compromises my Web server and replaces all the signatures with their own (updating the README to match their key ID), but anyone who knew they already had my key in their keyring should hopefully spot the name on the signature when checking a new download (porters and distro packagers in particular). -- { PGP( 48F9961143495829 ); FINGER( fungi () cthulhu yuggoth org ); WWW( http://fungi.yuggoth.org/ ); IRC( fungi () irc yuggoth org#ccl ); WHOIS( STANL3-ARIN ); MUD( kinrui () katarsis mudpy org:6669 ); }
Current thread:
- upstream source code authenticity checking Solar Designer (Apr 20)
- Re: upstream source code authenticity checking Alan Coopersmith (Apr 21)
- Re: upstream source code authenticity checking Marcus Meissner (Apr 21)
- Re: upstream source code authenticity checking Jeremy Stanley (Apr 21)
- Re: upstream source code authenticity checking Allan McRae (Apr 21)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 21)
- Re: upstream source code authenticity checking Allan McRae (Apr 21)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 21)
- Re: upstream source code authenticity checking Stuart Henderson (Apr 22)
- Re: upstream source code authenticity checking Allan McRae (Apr 21)
- Re: upstream source code authenticity checking Eric H. Christensen (Apr 24)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
- Re: upstream source code authenticity checking Allan McRae (Apr 24)
- Re: upstream source code authenticity checking Kurt Seifried (Apr 25)
- Re: upstream source code authenticity checking Daniel Kahn Gillmor (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
- Re: upstream source code authenticity checking Alan Coopersmith (Apr 21)