Re: verifying signature for a package

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Btw, I assume that i should call it xfontsel.gpg, or should I rename it too?

Thanks!






On Sunday, April 17, 2022, 10:50:37 AM CDT, Globe Trotter via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: 





Thanks very much! I will do this today.




On Sunday, April 17, 2022, 09:12:15 AM CDT, Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> wrote: 





Ben Beasley wrote:

> Please see https://src.fedoraproject.org/rpms/xfontsel/blob/a38f5a42fa7bc59378527cf05dabe29523675613/f/xfontsel.spec#_10 for an example from the same group of X11 programs.


What's described there is known as TOFU – trust on first use. Ben
looked up which key made the signature, downloaded that key and added it
to the Git repository. Initially this adds no security, as all that can
be verified is that the tarball was signed by whoever signed it.

The value of TOFU comes when the same key is used to verify another
tarball. As long as the key in the Git repository remains unchanged,
the signature verification can prove that each new release of Xfontsel
is signed by the same person who signed the earlier releases.

In this case I see that Oclock and Xfontsel are signed with the same
key. That seems quite legitimate as both tarballs are from www.x.org.
Instead of doing another, separate TOFU, you should copy Ben's
xfontsel.gpg from the xfontsel Git repository. That way your initial
Oclock package is not a first use of the key, but a second use, and
when you invoke gpgverify it will prove that the Oclock tarball was
signed by the same person who signed the Xfontsel tarball.

Once you have the key, remember to pass all three parameters to
gpgverify: --keyring, --signature and --data.

Björn Persson

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux