https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- OS|Linux |Unspecified Type|--- |Bug Severity|medium |unspecified Status|ASSIGNED |NEW Hardware|All |Unspecified Version|rawhide |33 Flags|fedora-review? | Priority|medium |unspecified --- Comment #117 from Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> --- (In reply to Simone Caronni from comment #105) > Maybe 10 signatures is a bit too much You can change that number with every release if you want. Ten happened to be the number of signatures I could validate. (In reply to Simone Caronni from comment #106) > All keys are deleted before regenerating, so at every release it's clear > what must go and disappear from git (git status). (In reply to Simone Caronni from comment #108) > The script now makes sure to download only the valid keys listed in list of > keys that have been used to sign. That's a good approach if the set of people who sign releases will be mostly the same every time. If it turns out that several people sign some releases and not others, then it will cause their keys to be dropped and added back repeatedly. In the latter case it may be better to add a key to the package the first time that key signs a release, and remove only revoked and expired keys. (In reply to Simone Caronni from comment #108) > OK, this is much better: > https://github.com/negativo17/bitcoin-core/blob/ > 1c3ee00c999b0ed8b3e497c7d9019ab1d8bc006b/bitcoin-gpg.sh bitcoin-gpg.sh relies on the tarball to tell it which keys should be used to verify the tarball. A manipulated tarball will of course contain a manipulated keys.txt that lists fake keys generated by the attacker. This makes it all the more important to not remove and re-add keys in the package unnecessarily. The continuity of the keys in the Git history becomes the only thing that can show that the tarball is genuine. bitcoin-gpg.sh will include a revoked or expired key if it signs a release. Such keys must be weeded out. bitcoin-gpg.sh fails for me because the string "Good signature" is locale-specific. The locale-independent solution is to use --status-fd and grep for "^\[GNUPG:\] GOODSIG ". -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
