El dilluns, 20 d’agost de 2018, a les 21:23:34 CEST, Germán Poo-Caamaño va escriure: > On Sat, 2018-08-18 at 18:48 +0200, Albert Astals Cid wrote: > > El dissabte, 18 d’agost de 2018, a les 15:41:38 CEST, Thomas Jarosch > > va escriure: > > > Hello Albert, > > > > > > is there any way to verify the integrity of poppler source > > > releases? > > > > > > I didn't spot a GPG signature for the tarball > > > or a simple SHA256 / MD5 checksum. > > > > > > If a gpg signature is too much effort, it would already help if > > > there's > > > an official sha256sum in the release announcement on the > > > mailinglist. > > > (https://lists.freedesktop.org/archives/poppler/2018-July/013275.ht > > > ml) > > > > > > That would help to verify the download server has not been tampered > > > with. > > > > You mean you're afraid somebody hacked on freedesktop git and > > replaced > > https://cgit.freedesktop.org/poppler/poppler/tag/?h=poppler-0.67.0 > > to a different commit than the one that I originally tagged? > > I think he meant the tarballs, which in Poppler are released without > any checksum.
Ah, right, i was thinking he meant the git hash and not the hash of the tarball itself :D I guess i can sign the packages, i'm doing it when releasing KDE Applications so it's not more work. I'll try to remember for next release. Cheers, Albert > > It helps to minimize any MITM. > > > Thomas: > > You can verify the tarballs by: > 1. downloading the tarball and calculate the checksum of your > preference. > 2. get a copy from git, checkout the release tag, build it, run make > distcheck to create your own tarball, calculate the checksum, and > compare it with the value you obtained in 1. > > That is what I do when I need to add a reference to poppler's tarball > in a flatpak. > > _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
