On 08.08.19 21:55, Björn Persson wrote: > · Minisign itself: Precompiled binary packages are signed, but not the > source code apparently. https://github.com/jedisct1/minisign/issues/61 > · Sodium: There are both Minisign signatures and OpenPGP signatures. > · dnscrypt-proxy: Again, precompiled binary packages are signed, but > not the source code. > · Radare2: I can't find any signatures. > · OpenSMTPD: Signify signatures found. I can create issues/PRs for these one later as well! As for packages requiring gnupg2, there are slightly more... But there may be some false positives as well... $ repoquery -q --disablerepo='*' --enablerepo=fedora-source --enablerepo=updates-source --archlist=src --whatrequires gnupg2 --releasever=rawhide | wc 83 83 2468 > That's great and all, but have there been any serious attempts to trick > Minisign or Signify into accepting a fake signature, by people who are > experienced in such attacks? Not that I know of. The author is Minisign is the author of libsodium as well. So the trust is mostly based on the author's reputation, and the reputation of OpenBSD developers (signify). I did find an audit by PIA from two years ago for libsodium that was quite positive [1]. > Cryptography is tricky stuff. It's very easy to overlook some detail. > Users should be wary of homegrown protocols that haven't been rigorously > analyzed. As for the current status quo, i.e. PGP, see [2,3], it would be fair to hold PGP (GnuPG) to the same standards... Based on its history of vulnerabilities I don't really trust it for anything. I'm sure you can use it safely if you are an expert and don't use key servers, but well, I don't trust myself with PGP... That is also the main reason I am in the process of switching to signify/Minisign for my own projects. Cheers, François [1] https://www.privateinternetaccess.com/blog/2017/08/libsodium-v1-0-12-and-v1-0-13-security-assessment/ [2] https://latacora.micro.blog/2019/07/16/the-pgp-problem.html [3] https://blog.trailofbits.com/2019/07/08/fuck-rsa/ _______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
