Distribute clearsigned sha256sum file instead of a detached signature.
This ensures that the thing signed includes the name of the tarball,
which defends the verifier by default against a freeze, rollback, or
project substitution attack.
A verifier can use something like the following (as expressed in
bash):
set -o pipefail
wget
https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc}
gpgv --keyring ./notmuch-signers.pgp --output -
notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c -
See id:87r2b8w956....@fifthhorseman.net and other messages in that
thread for discussion.
Signed-off-by: Daniel Kahn Gillmor <d...@fifthhorseman.net>
---
Makefile.global | 3 +--
Makefile.local | 13 +++++--------
2 files changed, 6 insertions(+), 10 deletions(-)
diff --git a/Makefile.global b/Makefile.global
index 6e17494a..11fd0cee 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,8 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases
TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA256_FILE=$(TAR_FILE).sha256
-GPG_FILE=$(TAR_FILE).asc
+GPG_FILE=$(TAR_FILE).sha256.asc
PV_FILE=bindings/python/notmuch/version.py
diff --git a/Makefile.local b/Makefile.local
index 01ba49cc..48ef40e4 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -39,11 +39,8 @@ $(TAR_FILE):
gzip -n < $(TAR_FILE).tmp > $(TAR_FILE)
@echo "Source is ready for release in $(TAR_FILE)"
-$(SHA256_FILE): $(TAR_FILE)
- sha256sum $^ > $@
-
$(GPG_FILE): $(TAR_FILE)
- gpg --armor --detach-sign $^
+ sha256sum $(TAR_FILE) | gpg --clear-sign --output $@ -
.PHONY: dist
dist: $(TAR_FILE)
@@ -73,11 +70,11 @@ release: verify-source-tree-and-version
pristine-tar commit $(DEB_TAR_FILE) $(UPSTREAM_TAG)
git tag -s -m "$(PACKAGE) Debian $(VERSION)-1 upload (same as
$(VERSION))" $(DEB_TAG)
mkdir -p releases
- mv $(TAR_FILE) $(SHA256_FILE) $(GPG_FILE) releases
+ mv $(TAR_FILE) $(GPG_FILE) releases
$(MAKE) VERSION=$(VERSION) release-message >
$(PACKAGE)-$(VERSION).announce
ifeq ($(REALLY_UPLOAD),yes)
git push origin $(VERSION) $(DEB_TAG) release pristine-tar
- cd releases && scp $(TAR_FILE) $(SHA256_FILE) $(GPG_FILE)
$(RELEASE_HOST):$(RELEASE_DIR)
+ cd releases && scp $(TAR_FILE) $(GPG_FILE)
$(RELEASE_HOST):$(RELEASE_DIR)
ssh $(RELEASE_HOST) "rm -f $(RELEASE_DIR)/LATEST-$(PACKAGE)-* ; ln -s
$(TAR_FILE) $(RELEASE_DIR)/LATEST-$(TAR_FILE)"
endif
@echo "Please send a release announcement using
$(PACKAGE)-$(VERSION).announce as a template."
@@ -117,9 +114,9 @@ release-message:
@echo ""
@echo "Which can be verified with:"
@echo ""
- @echo " $(RELEASE_URL)/$(SHA256_FILE)"
+ @echo " $(RELEASE_URL)/$(GPG_FILE)"
@echo -n " "
- @cat releases/$(SHA256_FILE)
+ @cat releases/$(GPG_FILE)
@echo ""
@echo " $(RELEASE_URL)/$(GPG_FILE)"
@echo " (signed by `getent passwd "$$USER" | cut -d: -f 5 | cut -d, -f
1`)"
--
2.20.1
_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
