On Tue, 05 Jul 2011 17:05:45 -0500, MC (Michael) wrote: > > Some packagers do upload the detached sig and add it to the spec > > as another Source file URL. > > Great! Except I haven't done so. I wasn't required to submit a signature > for my package nor does the Package Guildline pages refer to doing so. > Might be worth someone's time to mention it on the wiki (who knows about > this functionality). It isn't any "functionality". It is just possible to place a tarball and its detached GPG sig file in the source RPM package for anyone who may want to verify the sig manually at some point in time. Verifying detached tarball sigs isn't trivial or 100% safe anyway. One needs to be very familiar with the signer's key(s). Else the risk is too high that a user simply fetches a needed key from a key server without applying extra care. And for a sufficiently large tarball of a project with N>1 devs, has the signer been able to actually verify all source code changes prior to signing the tarball? Or is the signature only used to flag a package as coming from a trusted project developer without any additional guarantees? A tarball sig is just one layer of safety, but no ultimate protection. > > The uploaded tarball checksum enters the "sources" file in git, and any > > tarball downloaded from the lookaside cache MUST match that checksum. > > Else it wouldn't be downloaded and used. Source RPM build in koji would > > fail. > > This is just a checksum against the tarball that enters the lookaside > cache. Yes, I know about this. A malicious package could have been > uploaded to the lookaside cache, however. This leads to demanding > everyone have signatures available, but what do you do about SVN/Git > checkouts or projects that don't wish to provide signatures? Obviously, one needs to be very careful, skim over diffs, monitor commits regularly, archive snapshots regularly, be familiar with upstream release habits. Upstream also needs to do that, to avoid that a compromised account from a committer is used to infiltrate the project. If a source code repository is modified without permission and no developer (or release manager) notices it, would the person adding the tarball sig notice it? -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
