On Tue, Jan 31, 2023 at 11:34:59AM -0500, Eli Schwartz wrote: > In most contexts, it's utterly unacceptable to not remember the checksum > of the file you used last time and instead simply trust PGP identity > verification. This permits upstream the technical means to be malicious, > and re-upload a totally different tarball with the same name, different > contents, and different PGP signature, and you will never notice because > the PGP signature is still okay. Yes, it's true, and it's something that Sigstore tries to address. That said, if I wanted to trojan a download and had access to both the infrastructure and the developer's credentials, I wouldn't pick a months-old release for this purpose. I would wait until I see a new release coming out and then swap it mid-flight. This lets me defeat even transparency-log based solutions like sigstore. (I'll probably be giving a talk at the Linux Security Summit titled "How to trojan the Linux Kernel" where I'll go into some of these considerations. :)) -K
