On 12/08/2013 10:16 PM, David Prévot wrote: > Since it is easier to find/produce collisions with compressed files, > some projects do a checksum on the tar file and not on the compressed > file, see: > > http://cryptography.hyperlink.cz/2004/otherformats.html
This note is about bad properties of compressed files in relation to the use of known-weak cryptographic digests. The bad thing is the known-weak cryptographic digest. If some upstream's signatures are being made over an MD5 digest, they need to be fixed. We should be relying on signatures made over strong digests. There are lots of ways to stuff unaccountable blobs into uncompressed tarballs (up to and including inserting an archive file into an unnoticed directory in the archive itself, or a jpeg in the docs directory with a plausibly-sized but high-entropy chunk of exif data. > It would be nice to allow uscan to check the uncompressed tarball > instead of the compressed one. yes, i agree with that. how about adding another option to uscan: pgpsigarchivefilter, which represents a command through which the archive will be filtered before the signature is checked. So, for example, something like: opts="pgpsigarchivefilter=gzip -d,pgpsigurlmangle=s/tgz$/asc/" then we could adjust the verification check to invoke gpg as (shell script here, plz convert to perl for it to actually work :P): <$tarball $filter | gpgv $sigfile - > Bonus question: for CMocka, the directory also change (see the s/34/33/ > bellow) for each file, independently of the version: > > https://open.cryptomilk.org/attachments/download/33/cmocka-0.3.2.tar.asc > https://open.cryptomilk.org/attachments/download/34/cmocka-0.3.2.tar.xz > > Do you have an idea of a pgpsigurlmangle rule that would allow one to > download the accurate signature file? ugh, no i don't. any thoughts on a better way to match? maybe a different option that would scanning the download page for filenames that match the version number somehow instead, and then fetch the full thing, regardless of path? Wish i had better ideas, --dkg
signature.asc
Description: OpenPGP digital signature
