Summary: | Release signatures for distfiles et al should be using OpenPGP detached signatures | ||
---|---|---|---|
Product: | Gentoo Infrastructure | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Other | Assignee: | Gentoo Infrastructure <infra-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | releng, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2016-02-16 20:28:37 UTC
The --clearsign format has remained for long-standing compat with old tools. As a migration plan, how about this: 1. .DIGESTS file remain the same. 2. .DIGESTS.detached-sig is added. 3. .DIGESTS.asc clearsign format is announced to be sunset in 6 months. To clarify on tools: I've seen some tools that depended on the fact that .asc was a clear-signed file, and only fetched the .asc, and not the other .DIGESTS file. The usable path is: ==== T=$(mktemp) rm -f $T if ! gpg -o $T --decrypt livedvd-x86-amd64-32ul-20140826.iso.DIGESTS.asc; then echo "Unable to validate" exit 1 fi sha512sum -c $T ==== (In reply to Robin Johnson from comment #2) > To clarify on tools: > I've seen some tools that depended on the fact that .asc was a clear-signed > file, and only fetched the .asc, and not the other .DIGESTS file. > > The usable path is: > ==== > T=$(mktemp) > rm -f $T > if ! gpg -o $T --decrypt livedvd-x86-amd64-32ul-20140826.iso.DIGESTS.asc; > then > echo "Unable to validate" > exit 1 > fi > sha512sum -c $T > ==== yeah, that is a sane path to convert the clearsigned file into a plain text variant, except for gpg not returning a non-zero return value in all cases it should be discarded, should use gpgv for that (certificate validity issues if not using a clean pubring) But how about using a binary .sig detached signature as an alternative to detached-sig? (not that it matters that much, the proper way to verify is in any case gpg --verify <sig-file> <data-file> and --batch mode will fail without the dual-specification for the same reasons as the warning happens in interactive mode. Calling it .sig is fine by me. I'm just blocking change to the format of '.asc'; Somewhere there was a tool that could convert between signature formats (clearsigned to detached). Have you seen it? Could we use it for this case? (In reply to Robin Johnson from comment #4) > Somewhere there was a tool that could convert between signature formats > (clearsigned to detached). Have you seen it? Could we use it for this case? P.S. I know that detached->clearsigned is hard due to the whitespace rules, but the other direction should be possible. I think this one is done: * https://www.gentoo.org/news/2022/02/17/changed-signatures.html * https://gitweb.gentoo.org/infra/mastermirror-scripts.git/commit/?id=285d8e0166ffd72aa56ab610d93365e66d75111e * https://gitweb.gentoo.org/infra/mastermirror-scripts.git/commit/?id=198db23744732df928caee4a86f0cec6b3a5a21f |