oss-sec mailing list archives

Re: upstream source code authenticity checking

From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Sat, 04 May 2013 05:08:06 -0400

On Thu 2013-04-25 10:03:15 -0400, nicolas vigier wrote:

The good thing about PGP signed tarballs is that an automated check
could be integrated in package build, with some standard macros or
script to make it easy to check signature from a specific key. If it's
easy and does not cost time then more packagers will do it.


For debian, this suggestion was made in http://bugs.debian.org/610712
for the "uscan" tool, which looks for new upstream releases.

I've just supplied a patch to that bug with a simple implementation for
the common case where the signatures are distributed alongside the
tarballs with a similar name, and are made by one of a small set of
known keys.

It has some flaws, but it's certainly better than doing nothing.  I
welcome review and/or feedback and suggestions on that bug report.

Regards,

        --dkg

Attachment: _bin
Description:

Current thread:

Re: upstream source code authenticity checking, (continued)
- - - Re: upstream source code authenticity checking Alan Coopersmith (May 02)
    - Re: upstream source code authenticity checking Russ Allbery (May 02)
    - Re: upstream source code authenticity checking Josh Bressers (Apr 25)
    - Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
    - Re: upstream source code authenticity checking Marcus Meissner (Apr 26)
    - Re: upstream source code authenticity checking nicolas vigier (Apr 25)
    - Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
    - Re: upstream source code authenticity checking Florian Weimer (Apr 26)
  - Re: upstream source code authenticity checking nicolas vigier (Apr 25)
    - Re: upstream source code authenticity checking yersinia (Apr 26)
    - Re: upstream source code authenticity checking Daniel Kahn Gillmor (May 04)