On 2010-05-26, Tom Albers <toma@kde.org> wrote:
> Sure, but those commits go to a mailinglist, so everyone can check what
> goes in. Detecting that a tarball has changed (or MITM) results in no
> commit message to any list. Changing the published sha1sums is a lot harder
> btw, as those are in svn too. But I don't think many check sha1sums.
>
> If the workflow is anywhere near sane for signing tarballs, I agree we
> should do them. 

1) check that the tarballs are sane.

2) generate some checksums
sha256sum *.tar.gz > sha256-sums

3) sign the checksums
gpg --clearsign sha256-sums

4) publish the signed checksums and the tarbaals
scp *.tar.gz sha256-sums.asc ktown:path

5) profit.


Alternatively, sign each tarball separately, but in a human unreadable
format

1) check that the tarballs are sane

2) sign tarbaals
for i in *.tar.gz ; do gpg -b $i ; done 

3) publish tarballs and signatures
scp *.tar.gz *.sig ktown:path

4) profit.



To validate:

First you need to establish a trust path to the key used to sign the
sources. This is the hard step.

either:
download tarballs and sha256 sums
gpg --verify sha256-sums.asc
sha256sum -c sha256-sums.asc
profit

or, if each tarball is signed individually
download tarballs and sig natures
for i in *.tar.gz ; do gpg --verify $i.sig $i ; done
profit


But verifying still fails on 'establish trust path to whoever signs it'.
Everyone can create a key saying "dirk mueller <dirk@something>", so it
kind of needs verifications.

/Sune

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<