On Mon, Jul 2, 2018 at 11:47 AM, Jason A. Donenfeld <zx...@gentoo.org> wrote: > On Mon, Jul 2, 2018 at 6:02 PM R0b0t1 <r03...@gmail.com> wrote: >> Signed hashes should be faster, no? Each directory with files could >> have a manifest. > > Signatures work over hashes of data, anyway. I think what you're > wondering, though, is the granularity of each signature? I'd recommend > this be done on the per-file level, since we wouldn't want gentoo devs > signing files in a directory they haven't actually inspected. For > example, eclasses. >
Ah, okay then - I think at one time in the past GPG did something strange with file contents directly, or perhaps the implementation was just inefficient. It was maybe related to Debian where I first read about this? They were signing an .iso directly and found it was faster to hash it and then sign the hash. >> >> > - Ensure the naming scheme of portage files is sufficiently strict, so >> > that renaming or re-parenting signed files doesn't result in RCE. [*] >> > - Distribute said .asc files with rsync per usual. >> >> Rsync would work with this setup, but there is also webrsync-gpg in >> Portage right now. This covers the vast majority of usecases right >> now. > > Not sure whether you've missed the point or if you're responding to > something slightly different, but it's worth noting that both rsync > and webrsync-gpg right now check against infra signatures, rather than > developer signatures, and this is a big problem. Right, I lost track of that. The infrastructure or release developers are implicitly trusting all developers, so I suppose cutting out the middleman will reduce work.