diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2012-January/011201.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2012-January/011201.html | 306 |
1 files changed, 306 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2012-January/011201.html b/zarb-ml/mageia-dev/2012-January/011201.html new file mode 100644 index 000000000..5020f7c51 --- /dev/null +++ b/zarb-ml/mageia-dev/2012-January/011201.html @@ -0,0 +1,306 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Signature verification of sources + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Signature%20verification%20of%20sources&In-Reply-To=%3C201201101250.16444.bgmilne%40zarb.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="011198.html"> + <LINK REL="Next" HREF="011208.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Signature verification of sources</H1> + <B>Buchan Milne</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Signature%20verification%20of%20sources&In-Reply-To=%3C201201101250.16444.bgmilne%40zarb.org%3E" + TITLE="[Mageia-dev] Signature verification of sources">bgmilne at zarb.org + </A><BR> + <I>Tue Jan 10 11:50:15 CET 2012</I> + <P><UL> + <LI>Previous message: <A HREF="011198.html">[Mageia-dev] Fwd: Re: [Kolab-devel] Supercolliding a PHP array - DoS Attacks +</A></li> + <LI>Next message: <A HREF="011208.html">[Mageia-dev] Signature verification of sources +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#11201">[ date ]</a> + <a href="thread.html#11201">[ thread ]</a> + <a href="subject.html#11201">[ subject ]</a> + <a href="author.html#11201">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>I think we should be in the position to be able to verify the origin of any +software we provide to users. + +While we have cryptographic verification of the RPMS (both 'binary' and src), +and we store the hashes of the sources, AFAIK we do very limited verification +of any signatures provided by upstream. + +Now, unfortunately, not all upstreams provide useful signatures: +1)Not all upstreams provide signatures (some even say that there is no point, +as no-one verifies them) +2)Some upstreams (such as kernel) use automated mechanisms to generate +signatures (and in the case of kernl explicitly state that they are only +useful for verifying that they match what is on kernel.org, not necessarily +that they match what linus generated) +3)Some upstreams do provide signatures, but sometimes the signing identity +changes, or the mechanism (sign gzipped tarball once, unzipped tarball next +time) + +It seems difficult to argue for upstreams to provide good signatures if no-one +is verifying them + +So, I have started adding signature verification to my packages where upstream +provides signatures: +-tevent +-tdb +-ldb +-samba + +In the past few weeks, I have been moving to defining and using a 'check_sig' +macro, and I wonder if it would be useful to move it to spec-helper, and start +using it wherever possible. + +This is the version in the ldb spec: +%define check_sig() export GNUPGHOME=%{_tmppath}/rpm-gpghome \ +if [ -d "$GNUPGHOME" ] \ +then echo "Error, GNUPGHOME $GNUPGHOME exists, remove it and try again"; exit +1 \ +fi \ +install -d -m700 $GNUPGHOME \ +gpg --import %{1} \ +gpg --trust-model always --verify %{2} %{?3} \ +rm -Rf $GNUPGHOME \ + + +Used as follows: + +Source: <A HREF="http://samba.org/ftp/ldb/ldb-%{ldbver">http://samba.org/ftp/ldb/ldb-%{ldbver</A>}.tar.gz +Source1: <A HREF="http://samba.org/ftp/ldb/ldb-%{ldbver">http://samba.org/ftp/ldb/ldb-%{ldbver</A>}.tar.gz.asc +Source2: jelmer.asc +[...] + +%prep +%check_sig %{SOURCE2} %{SOURCE1} %{SOURCE0} + +Producing: + ++ export GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome ++ GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome ++ '[' -d /home/bgmilne/tmp/rpm-gpghome ']' ++ install -d -m700 /home/bgmilne/tmp/rpm-gpghome ++ gpg --import /home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/jelmer.asc +gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/secring.gpg' created +gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/pubring.gpg' created +gpg: /home/bgmilne/tmp/rpm-gpghome/trustdb.gpg: trustdb created +gpg: key 1EEF5276: public key "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at samba.org</A>>" imported +gpg: key D729A457: public key "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at samba.org</A>>" imported +gpg: Total number processed: 2 +gpg: imported: 2 (RSA: 1) +gpg: no ultimately trusted keys found ++ gpg --trust-model always --verify +/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz.asc +/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz +gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using RSA key ID D729A457 +gpg: Good signature from "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at samba.org</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at sernet.de</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at apache.org</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at debian.org</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at ubuntu.com</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at vernstok.nl</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at canonical.com</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at openchange.org</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jrvernooij at tigris.org</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer.vernooij at canonical.com</A>>" +gpg: WARNING: Using untrusted key! +gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using DSA key ID 1EEF5276 +gpg: Good signature from "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at samba.org</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at fsfe.org</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at sernet.de</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at debian.org</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at ubuntu.com</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jrvernoo at cs.uu.nl</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at vernstok.nl</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at openchange.org</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jrvernooij at tigris.org</A>>" +gpg: aka "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at a-eskwadraat.nl</A>>" +gpg: WARNING: Using untrusted key! ++ rm -Rf /home/bgmilne/tmp/rpm-gpghome + +Tampering with the source results in: + ++ export GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome ++ GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome ++ '[' -d /home/bgmilne/tmp/rpm-gpghome ']' ++ install -d -m700 /home/bgmilne/tmp/rpm-gpghome ++ gpg --import /home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/jelmer.asc +gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/secring.gpg' created +gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/pubring.gpg' created +gpg: /home/bgmilne/tmp/rpm-gpghome/trustdb.gpg: trustdb created +gpg: key 1EEF5276: public key "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at samba.org</A>>" imported +gpg: key D729A457: public key "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at samba.org</A>>" imported +gpg: Total number processed: 2 +gpg: imported: 2 (RSA: 1) +gpg: no ultimately trusted keys found ++ gpg --trust-model always --verify +/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz.asc +/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz +gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using RSA key ID D729A457 +gpg: BAD signature from "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at samba.org</A>>" +gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using DSA key ID 1EEF5276 +gpg: BAD signature from "Jelmer Vernooij <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">jelmer at samba.org</A>>" +error: Bad exit status from /home/bgmilne/tmp/rpm-tmp.YqBT4j (%prep) + + + +Or, if %{_tmppath}/rpm-gpghome exists (important to check for, since we are +using --trust-model always): + +Executing(%prep): /bin/sh -e /home/bgmilne/tmp/rpm-tmp.OEoIHT ++ umask 022 ++ cd /home/bgmilne/rpm/BUILD ++ '[' 1 -eq 1 ']' ++ '[' 1 -eq 1 ']' ++ '[' 1 -eq 1 ']' ++ export GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome ++ GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome ++ '[' -d /home/bgmilne/tmp/rpm-gpghome ']' ++ echo 'Error, GNUPGHOME /home/bgmilne/tmp/rpm-gpghome exists, remove it and +try again' +Error, GNUPGHOME /home/bgmilne/tmp/rpm-gpghome exists, remove it and try again ++ exit 1 +error: Bad exit status from /home/bgmilne/tmp/rpm-tmp.OEoIHT (%prep) + + +Comments? + +Regards, +Buchan +</PRE> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="011198.html">[Mageia-dev] Fwd: Re: [Kolab-devel] Supercolliding a PHP array - DoS Attacks +</A></li> + <LI>Next message: <A HREF="011208.html">[Mageia-dev] Signature verification of sources +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#11201">[ date ]</a> + <a href="thread.html#11201">[ thread ]</a> + <a href="subject.html#11201">[ subject ]</a> + <a href="author.html#11201">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |