From mboxrd@z Thu Jan 1 00:00:00 1970 From: john at keeping.me.uk (John Keeping) Date: Mon, 9 Mar 2015 20:49:46 +0000 Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading In-Reply-To: <20150309193929.GW3567@zaya.teonanacatl.net> References: <0146555fda82120aa6ff6a7e9761d00d53ced865.1425739601.git.john@keeping.me.uk> <20150307155926.6430.47439@typhoon> <20150307170259.GI1369@serenity.lan> <20150307174932.8657.41364@typhoon> <20150307182002.GJ1369@serenity.lan> <20150307233510.GU3567@zaya.teonanacatl.net> <20150308104520.GK1369@serenity.lan> <20150309193929.GW3567@zaya.teonanacatl.net> Message-ID: <20150309204901.GL1369@serenity.lan> On Mon, Mar 09, 2015 at 03:39:29PM -0400, Todd Zullinger wrote: > Those on the list can check the PGP signature on the announcement mail > and then use the included SHA1 to check the tarball, but doing that as > a non-list member isn't as easy due to many list archives stripping or > mangling PGP signatures. I tried doing this with the 0.11 > announcement from the Mailman and Gmane archives now and wasn't > successful. It turns out that GMane mangles the list address in the message, so it is possible to validate it but it's not straightforward: curl http://article.gmane.org/gmane.comp.version-control.cgit/2387/raw | sed -e 's/cgit[^ ]*@public.gmane.org/cgit at lists.zx2c4.com/' | gpg --verify > Posting a detached PGP signature for the tarball would improve the > ability for users to trust and verify the cgit tarball. It's not a > blocker for your patch, but it would make it significantly more > useful, so I thought I would broach the subject. ;) It seems that Jason currently relies on CGit to generate the tarballs by pointing to http://git.zx2c4.com/cgit/refs/tags, which means that a signature isn't guaranteed to remain correct (Git has subtly changed the tar encoding in the past and could do so again). There's a recent thread on the Git mailing list about a way to handle this better[0], but there isn't any code yet AFAIK. [0] http://thread.gmane.org/gmane.comp.version-control.git/264533