From mboxrd@z Thu Jan 1 00:00:00 1970 From: tmz at pobox.com (Todd Zullinger) Date: Mon, 9 Mar 2015 15:39:29 -0400 Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading In-Reply-To: <20150308104520.GK1369@serenity.lan> References: <0146555fda82120aa6ff6a7e9761d00d53ced865.1425739601.git.john@keeping.me.uk> <20150307155926.6430.47439@typhoon> <20150307170259.GI1369@serenity.lan> <20150307174932.8657.41364@typhoon> <20150307182002.GJ1369@serenity.lan> <20150307233510.GU3567@zaya.teonanacatl.net> <20150308104520.GK1369@serenity.lan> Message-ID: <20150309193929.GW3567@zaya.teonanacatl.net> John Keeping wrote: > On Sat, Mar 07, 2015 at 06:35:10PM -0500, Todd Zullinger wrote: >> But while we're on the subject, are there PGP signatures available for >> the cgit tarballs themselves? I know the git tags are signed, but I >> don't think I've seen detached signatures for the tarballs. In this >> case, how does a user become "happy that the CGit distribution they >> have is trustworthy"? The cgit tarball download isn't available via >> https either, which might be a reasonable answer in the absence of a >> detached git signature. >> >> Without a signature on the tarball or some other method to verify the >> cgit tarball, the sha256 of the git tarball included in the cgit >> Makefile is more or less only useful as a basic download integrity >> check (in which case sha256 is mild overkill). >> >> None of this is to say that this patch isn't a step in the right >> direction. It certainly helps to display a nicer error message if a >> user receives a corrupted git tarball. It's just important that users >> don't confuse this with providing any real authentication of the git >> tarball. > > I'm not sure this is true. Providing that the CGit tarball is trusted, > then I think this does provide sufficient authentication of the Git > tarball. If the CGit tarball isn't trusted, then all bets are off > anyway. Agreed. The caveat is that I'm not sure there is a convenient method for end-users or packagers to verify the authenticity of a cgit tarball. Those on the list can check the PGP signature on the announcement mail and then use the included SHA1 to check the tarball, but doing that as a non-list member isn't as easy due to many list archives stripping or mangling PGP signatures. I tried doing this with the 0.11 announcement from the Mailman and Gmane archives now and wasn't successful. Posting a detached PGP signature for the tarball would improve the ability for users to trust and verify the cgit tarball. It's not a blocker for your patch, but it would make it significantly more useful, so I thought I would broach the subject. ;) Thank you for all of your work on cgit. It's very nice to see it continue to improve, with even the smallest details getting attention. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now don't say you can't swear off drinking; it's easy. I've done it a thousand times. -- W.C. Fields