On Mon, Oct 31, 2016 at 06:04:48PM +0100, Levente Polyak wrote:
> I get your point what you try to achieve but the PKGBUILD already
> contains the integrity values (checksums) for all external sources and
> if you sign the PKGBUILD (which is the build script) then you have
> implicitly authenticated all integrity values of the external sources.
>
> A signature is nothing more (but also nothing less) then an
> authenticated checksum. If you sign a tarball then you "only" sign its hash.
>
> On top (like a bonus :P) if you sign the PKGBUILD then you did not only
> authenticate the checksums of the external sources but also the
> buildscript itself. So you really want so sign that instead ;)
As a side question... is there a significant difference in signing PKGBUILD vs
the compiled package. Given that when building a pkg, I inspect the PKGBUILD,
what attack is possible when the PKGBUILD is not signed?
Also, isn't the use of dev signature to validate upstream sources is a logical
flaw? A dev might herself be mislead and build a trojaned source...
Thx,
L.
--
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4
C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
