From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2012-January/011201.html | 306 ++++++++++++++++++++++++++++ 1 file changed, 306 insertions(+) create mode 100644 zarb-ml/mageia-dev/2012-January/011201.html (limited to 'zarb-ml/mageia-dev/2012-January/011201.html') diff --git a/zarb-ml/mageia-dev/2012-January/011201.html b/zarb-ml/mageia-dev/2012-January/011201.html new file mode 100644 index 000000000..5020f7c51 --- /dev/null +++ b/zarb-ml/mageia-dev/2012-January/011201.html @@ -0,0 +1,306 @@ + + + + [Mageia-dev] Signature verification of sources + + + + + + + + + +

[Mageia-dev] Signature verification of sources

+ Buchan Milne + bgmilne at zarb.org +
+ Tue Jan 10 11:50:15 CET 2012 +

+
+ +
I think we should be in the position to be able to verify the origin of any 
+software we provide to users.
+
+While we have cryptographic verification of the RPMS (both 'binary' and src), 
+and we store the hashes of the sources, AFAIK we do very limited verification 
+of any signatures provided by upstream.
+
+Now, unfortunately, not all upstreams provide useful signatures:
+1)Not all upstreams provide signatures (some even say that there is no point, 
+as no-one verifies them)
+2)Some upstreams (such as kernel) use automated mechanisms to generate 
+signatures (and in the case of kernl explicitly state that they are only 
+useful for verifying that they match what is on kernel.org, not necessarily 
+that they match what linus generated)
+3)Some upstreams do provide signatures, but sometimes the signing identity 
+changes, or the mechanism (sign gzipped tarball once, unzipped tarball next 
+time)
+
+It seems difficult to argue for upstreams to provide good signatures if no-one 
+is verifying them
+
+So, I have started adding signature verification to my packages where upstream 
+provides signatures:
+-tevent
+-tdb
+-ldb
+-samba
+
+In the past few weeks, I have been moving to defining and using a 'check_sig' 
+macro, and I wonder if it would be useful to move it to spec-helper, and start 
+using it wherever possible.
+
+This is the version in the ldb spec:
+%define check_sig() export GNUPGHOME=%{_tmppath}/rpm-gpghome \
+if [ -d "$GNUPGHOME" ] \
+then echo "Error, GNUPGHOME $GNUPGHOME exists, remove it and try again"; exit 
+1 \
+fi \
+install -d -m700 $GNUPGHOME \
+gpg --import %{1} \
+gpg --trust-model always --verify %{2} %{?3} \
+rm -Rf $GNUPGHOME \
+
+
+Used as follows:
+
+Source: http://samba.org/ftp/ldb/ldb-%{ldbver}.tar.gz
+Source1: http://samba.org/ftp/ldb/ldb-%{ldbver}.tar.gz.asc
+Source2: jelmer.asc
+[...]
+
+%prep
+%check_sig %{SOURCE2} %{SOURCE1} %{SOURCE0}
+
+Producing:
+
++ export GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
++ GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
++ '[' -d /home/bgmilne/tmp/rpm-gpghome ']'
++ install -d -m700 /home/bgmilne/tmp/rpm-gpghome
++ gpg --import /home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/jelmer.asc
+gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/secring.gpg' created
+gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/pubring.gpg' created
+gpg: /home/bgmilne/tmp/rpm-gpghome/trustdb.gpg: trustdb created
+gpg: key 1EEF5276: public key "Jelmer Vernooij <jelmer at samba.org>" imported
+gpg: key D729A457: public key "Jelmer Vernooij <jelmer at samba.org>" imported
+gpg: Total number processed: 2
+gpg:               imported: 2  (RSA: 1)
+gpg: no ultimately trusted keys found
++ gpg --trust-model always --verify 
+/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz.asc 
+/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz
+gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using RSA key ID D729A457
+gpg: Good signature from "Jelmer Vernooij <jelmer at samba.org>"
+gpg:                 aka "Jelmer Vernooij <jelmer at sernet.de>"
+gpg:                 aka "Jelmer Vernooij <jelmer at apache.org>"
+gpg:                 aka "Jelmer Vernooij <jelmer at debian.org>"
+gpg:                 aka "Jelmer Vernooij <jelmer at ubuntu.com>"
+gpg:                 aka "Jelmer Vernooij <jelmer at vernstok.nl>"
+gpg:                 aka "Jelmer Vernooij <jelmer at canonical.com>"
+gpg:                 aka "Jelmer Vernooij <jelmer at openchange.org>"
+gpg:                 aka "Jelmer Vernooij <jrvernooij at tigris.org>"
+gpg:                 aka "Jelmer Vernooij <jelmer.vernooij at canonical.com>"
+gpg: WARNING: Using untrusted key!
+gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using DSA key ID 1EEF5276
+gpg: Good signature from "Jelmer Vernooij <jelmer at samba.org>"
+gpg:                 aka "Jelmer Vernooij <jelmer at fsfe.org>"
+gpg:                 aka "Jelmer Vernooij <jelmer at sernet.de>"
+gpg:                 aka "Jelmer Vernooij <jelmer at debian.org>"
+gpg:                 aka "Jelmer Vernooij <jelmer at ubuntu.com>"
+gpg:                 aka "Jelmer Vernooij <jrvernoo at cs.uu.nl>"
+gpg:                 aka "Jelmer Vernooij <jelmer at vernstok.nl>"
+gpg:                 aka "Jelmer Vernooij <jelmer at openchange.org>"
+gpg:                 aka "Jelmer Vernooij <jrvernooij at tigris.org>"
+gpg:                 aka "Jelmer Vernooij <jelmer at a-eskwadraat.nl>"
+gpg: WARNING: Using untrusted key!
++ rm -Rf /home/bgmilne/tmp/rpm-gpghome
+
+Tampering with the source results in:
+
++ export GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
++ GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
++ '[' -d /home/bgmilne/tmp/rpm-gpghome ']'
++ install -d -m700 /home/bgmilne/tmp/rpm-gpghome
++ gpg --import /home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/jelmer.asc
+gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/secring.gpg' created
+gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/pubring.gpg' created
+gpg: /home/bgmilne/tmp/rpm-gpghome/trustdb.gpg: trustdb created
+gpg: key 1EEF5276: public key "Jelmer Vernooij <jelmer at samba.org>" imported
+gpg: key D729A457: public key "Jelmer Vernooij <jelmer at samba.org>" imported
+gpg: Total number processed: 2
+gpg:               imported: 2  (RSA: 1)
+gpg: no ultimately trusted keys found
++ gpg --trust-model always --verify 
+/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz.asc 
+/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz
+gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using RSA key ID D729A457
+gpg: BAD signature from "Jelmer Vernooij <jelmer at samba.org>"
+gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using DSA key ID 1EEF5276
+gpg: BAD signature from "Jelmer Vernooij <jelmer at samba.org>"
+error: Bad exit status from /home/bgmilne/tmp/rpm-tmp.YqBT4j (%prep)
+
+
+
+Or, if %{_tmppath}/rpm-gpghome exists (important to check for, since we are 
+using --trust-model always):
+
+Executing(%prep): /bin/sh -e /home/bgmilne/tmp/rpm-tmp.OEoIHT
++ umask 022
++ cd /home/bgmilne/rpm/BUILD
++ '[' 1 -eq 1 ']'
++ '[' 1 -eq 1 ']'
++ '[' 1 -eq 1 ']'
++ export GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
++ GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
++ '[' -d /home/bgmilne/tmp/rpm-gpghome ']'
++ echo 'Error, GNUPGHOME /home/bgmilne/tmp/rpm-gpghome exists, remove it and 
+try again'
+Error, GNUPGHOME /home/bgmilne/tmp/rpm-gpghome exists, remove it and try again
++ exit 1
+error: Bad exit status from /home/bgmilne/tmp/rpm-tmp.OEoIHT (%prep)
+
+
+Comments?
+
+Regards,
+Buchan
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1