Hello, I hope to have selected the right contact address for this mail, if not, please tell me or forward accordingly.
The kernel.org archive provides signatures for the software available
(which is great!). The method to verify these according to
https://www.kernel.org/category/signatures.html#using-gnupg-to-verify-kernel-signatures
is to download the .tar.xz and the .tar.sign file, unxz the archive and
check the signature against the .tar file.
For one this is inconvenient because most tools don't know
this scheme. In my case this is tooling from Debian to work with
upstream archives[1].
But it also has an impact on security: As long as the signature isn't
verified I have to consider the .tar.xz "untrusted" and the less tools I
have to make operate on it the better. This scheme allows an attacker
that has control over a mirror to provide a .tar.xz that makes unxz do
undesirable things, see https://en.wikipedia.org/wiki/Zip_bomb for an
attack idea.
Best regards
Uwe
[1] https://bugs.debian.org/882694
signature.asc
Description: PGP signature
