Thanks for the detailed explanation—which I didn’t have time to supply myself, but fully agree with—and the good advice to re-use the xfontsel keychain file. It’s even better when the key can come from a source with some nonzero (if imperfect) level of trust, like upstream’s HTTPS server, or an email or IRC conversation where you have good reason to believe you are corresponding with the upstream developer(s). In reality, TOFU via the keyserver network is often the best we can reasonably do. On Sun, Apr 17, 2022, at 10:11 AM, Björn Persson wrote: > Ben Beasley wrote: >> Please see https://src.fedoraproject.org/rpms/xfontsel/blob/a38f5a42fa7bc59378527cf05dabe29523675613/f/xfontsel.spec#_10 for an example from the same group of X11 programs. > > What's described there is known as TOFU – trust on first use. Ben > looked up which key made the signature, downloaded that key and added it > to the Git repository. Initially this adds no security, as all that can > be verified is that the tarball was signed by whoever signed it. > > The value of TOFU comes when the same key is used to verify another > tarball. As long as the key in the Git repository remains unchanged, > the signature verification can prove that each new release of Xfontsel > is signed by the same person who signed the earlier releases. > > In this case I see that Oclock and Xfontsel are signed with the same > key. That seems quite legitimate as both tarballs are from www.x.org. > Instead of doing another, separate TOFU, you should copy Ben's > xfontsel.gpg from the xfontsel Git repository. That way your initial > Oclock package is not a first use of the key, but a second use, and > when you invoke gpgverify it will prove that the Oclock tarball was > signed by the same person who signed the Xfontsel tarball. > > Once you have the key, remember to pass all three parameters to > gpgverify: --keyring, --signature and --data. > > Björn Persson > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
