[PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

[tmz at pobox.com (Todd Zullinger)]

John Keeping wrote:
> On Sat, Mar 07, 2015 at 06:35:10PM -0500, Todd Zullinger wrote:
>> But while we're on the subject, are there PGP signatures available for 
>> the cgit tarballs themselves?  I know the git tags are signed, but I 
>> don't think I've seen detached signatures for the tarballs.  In this 
>> case, how does a user become "happy that the CGit distribution they 
>> have is trustworthy"?  The cgit tarball download isn't available via 
>> https either, which might be a reasonable answer in the absence of a 
>> detached git signature.
>>
>> Without a signature on the tarball or some other method to verify the 
>> cgit tarball, the sha256 of the git tarball included in the cgit 
>> Makefile is more or less only useful as a basic download integrity 
>> check (in which case sha256 is mild overkill).
>>
>> None of this is to say that this patch isn't a step in the right 
>> direction.  It certainly helps to display a nicer error message if a 
>> user receives a corrupted git tarball.  It's just important that users 
>> don't confuse this with providing any real authentication of the git 
>> tarball.
>
> I'm not sure this is true.  Providing that the CGit tarball is trusted, 
> then I think this does provide sufficient authentication of the Git 
> tarball.  If the CGit tarball isn't trusted, then all bets are off 
> anyway.

Agreed.  The caveat is that I'm not sure there is a convenient method 
for end-users or packagers to verify the authenticity of a cgit 
tarball.

Those on the list can check the PGP signature on the announcement mail 
and then use the included SHA1 to check the tarball, but doing that as 
a non-list member isn't as easy due to many list archives stripping or 
mangling PGP signatures.  I tried doing this with the 0.11 
announcement from the Mailman and Gmane archives now and wasn't 
successful.

Posting a detached PGP signature for the tarball would improve the 
ability for users to trust and verify the cgit tarball.  It's not a 
blocker for your patch, but it would make it significantly more 
useful, so I thought I would broach the subject. ;)

Thank you for all of your work on cgit.  It's very nice to see it 
continue to improve, with even the smallest details getting attention.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now don't say you can't swear off drinking; it's easy. I've done it a
thousand times.
    -- W.C. Fields