On 07/31/2015 01:24 PM, Michał Masłowski wrote: >> 2) Sign stuff manually using SHA512sum and openssl's whirlpool (see my >> PKGBUILDs for an example of this fail-safe); and import any GPG >> signatures from upstream as needed, adding them to validpgpkeys field >> for GPG verification. > Fix the tools so no manual work is needed here. Upstream bug/patch submitted: https://bugs.archlinux.org/task/45859
It will be as easy as including sha512sum() whirlpoolsum() in the PKGBUILD. > >> 3) Sign the PKGBUILD with GPG: >> gpg --default-key [YOURKEYID] -b PKGBUILD > Another manual step; also puts non-source files in the git repo. > > No code review is in this procedure. I don't see any way around this yet. You could do this in batch if desired. parallel gpg --default-key [yourkey] -b ::: PKGBUILD If people are using abs it pulls PKGBUILD and related source files, adding a .sig allows abs users to validate the PKGBUILD was created by the claimed PKBUILD Maintainer. I consider this better than unsigned package builds since it wouldn't take much to alter a PKGBUILD and re-push. Then someone would need to go back and trace git commits to figure out who. Even then unless the git is signed it'll be very hard to determine how that happened since everyone is using the same git user, and it would be trivially easy to spoof username in gitconfig should an attacker actually gain access. Regarding the code review, thankfully gpg is pretty straight forward since we can use --verify. The only unreviewed portion is my two hash skip functions since it is not possible to hash-check a file you will be altering. (in this case the GPG signature which is created /after/ the PKGBUILD)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
