build: distribute signed sha256sums

Distribute clearsigned sha256sum file in addition to the detached signature. Verifies that use the sha256sum ensure that the thing signed includes the name of the tarball. This defends the verifier by default against a freeze, rollback, or project substitution attack. A verifier can use something like the following (as expressed in bash): set -o pipefail wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc} gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c - See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that thread for discussion. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-03-23 13:35:43 +0100
committer: David Bremner <david@tethera.net> 2019-03-27 17:53:41 -0300
commit: 01f9c71312937011c4474688d3d1dd64c14731fb (patch)
tree: 3c0a6dac397673f4455eea645ae361447cba9a1c /Makefile.local
parent: cc8d837d5a137a14a62526dcea60af1de7a353e4 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/Makefile.local b/Makefile.local
index 8535844a..eb599565 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -40,7 +40,7 @@ $(TAR_FILE):
 	@echo "Source is ready for release in $(TAR_FILE)"
 
 $(SHA256_FILE): $(TAR_FILE)
-	sha256sum $^ > $@
+	sha256sum $^ | gpg --clear-sign --output $@ -
 
 $(GPG_FILE): $(TAR_FILE)
 	gpg --armor --detach-sign $^
author	Daniel Kahn Gillmor <dkg@fifthhorseman.net>	2019-03-23 13:35:43 +0100
committer	David Bremner <david@tethera.net>	2019-03-27 17:53:41 -0300
commit	01f9c71312937011c4474688d3d1dd64c14731fb (patch)
tree	3c0a6dac397673f4455eea645ae361447cba9a1c /Makefile.local
parent	cc8d837d5a137a14a62526dcea60af1de7a353e4 (diff)