Ahoy At last weekends' Munich sprint, Jonathan and I discussed the possibility of detached-signing our tarballs. Right now people have to go to some website, get checksums, and then verify the downloaded tarballs matches the checksums. This is not only terrible because it involves humans doing things, it is also terrible as there is no way to tell whether or not the data on the website is even authoritative, in particular for extragear where this information might not even be under https certification and even if it was who's to say the webserver hasn't been compromised. Add that our tarball mirrors are often distributing over http or ftp and getting an authoritative tarball is more luck than consistent checks.
And that is why we should sign our tarballs and we agreed to start doing that soonishy for Plasma tarballs (or rather: releasme in general) and would like to encourage everyone to build appropriate GPG signing tech into their release scripts. At the very least frameworks and apps would be beneficial to cover with signatures. It allows us to easily verify file integrity as well as file trustworthyness as either of the two not adding up would result in a verification failure. So how's that work? Relevant starting documentation can be found at [1] I would for example run $ gpg2 --digest-algo SHA512 --armor --detach-sign -o phonon-4.9.0.tar.xz.sig -s phonon-4.9.0.tar.xz This generates a .sig file for the phonon 4.9 tarball. Which I can then verify $ gpg2 -q --verify -q phonon-4.9.0.tar.xz.sig phonon-4.9.0.tar.xz; echo $? gpg: Signature made Don 02 Jun 2016 13:34:35 CEST using DSA key ID 72F23991 gpg: Good signature from "Harald Sitter <[email protected]>" [ultimate] Now then. In the grand scheme of things we'd only ship tarballs with a relevant sig in the same directory. A consumer of our tarballs (e.g. a linux distribution) would grab our tarball *and* the sig and ensure that the sig is an authoritatively trusted key (e.g. part of a keyring with trusted keys). If the verification succeeds the tarball is good to be used, if not human intervention is required to investigate. [1] https://www.gnupg.org/gph/en/manual/x135.html HS _______________________________________________ release-team mailing list [email protected] https://mail.kde.org/mailman/listinfo/release-team
