auth-tarball-from-git: verifying signed git tags without sha256sums=(SKIP)

ohai! I blogged about a new tool that can be used to verify a tarball from a signed git tag, while still pinning the sourcecode with >= sha256sum: https://vulns.xyz/2022/05/auth-tarball-from-git/ Let me know what you think - that's all, kpcyrd

[arch-dev-public] Re: auth-tarball-from-git: verifying signed git tags without sha256sums=(SKIP)

Le 29/05/2022 à 14:40, kpcyrd a écrit : ohai! I blogged about a new tool that can be used to verify a tarball from a signed git tag, while still pinning the sourcecode with >= sha256sum: https://vulns.xyz/2022/05/auth-tarball-from-git/ What is the advantage over properly pinning the tag usi

Re: auth-tarball-from-git: verifying signed git tags without sha256sums=(SKIP)

On 2022-05-29 12:40:22 (+0200), kpcyrd wrote: > I blogged about a new tool that can be used to verify a tarball from a > signed git tag, while still pinning the sourcecode with >= sha256sum: > > https://vulns.xyz/2022/05/auth-tarball-from-git/ > > Let me know what you think - that's all, Hi, in

[arch-dev-public] Re: auth-tarball-from-git: verifying signed git tags without sha256sums=(SKIP)

Le 29/05/2022 à 19:58, David Runge a écrit : On 2022-05-29 12:40:22 (+0200), kpcyrd wrote: I blogged about a new tool that can be used to verify a tarball from a signed git tag, while still pinning the sourcecode with >= sha256sum: https://vulns.xyz/2022/05/auth-tarball-from-git/ Let me know w

Re: [arch-dev-public] Re: auth-tarball-from-git: verifying signed git tags without sha256sums=(SKIP)

On 2022-05-29 12:40, kpcyrd wrote: > I blogged about a new tool that can be used to verify a tarball from a > signed git tag, while still pinning the sourcecode with >= sha256sum: > > https://vulns.xyz/2022/05/auth-tarball-from-git/ I agree with the previous posters that a comparison with the est

Re: [arch-dev-public] Re: auth-tarball-from-git: verifying signed git tags without sha256sums=(SKIP)

On Sun, May 29, 2022 at 10:25:52PM +0200, Jonas Witschel wrote: > > This best practice of using pinned tag object hashes could then be enforced by > a tool like your recently created archlinux-inputs-fsck [3]. Note that this > project currently does not recognise PKGBUILDs with pinned tag hashes as

Re: [arch-dev-public] Re: auth-tarball-from-git: verifying signed git tags without sha256sums=(SKIP)

On 30/5/22 06:25, Jonas Witschel wrote: Nevertheless I would love to see more (ideally all) packages using pinned tag object hashes over tag names, which I think would provide a tangible security benefit. I thought this was already the standard. There were lots of bug reports (and a todo list

Re: [arch-dev-public] Re: auth-tarball-from-git: verifying signed git tags without sha256sums=(SKIP)

On 2022-05-30 07:46, Allan McRae wrote: > On 30/5/22 06:25, Jonas Witschel wrote: > > Nevertheless I would love to see more (ideally all) packages using pinned > > tag > > object hashes over tag names, which I think would provide a tangible > > security > > benefit. > > I thought this was alread