build: distribute signed sha256sums
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Sat, 23 Mar 2019 12:35:43 +0000 (13:35 +0100)
committerDavid Bremner <david@tethera.net>
Wed, 27 Mar 2019 20:53:41 +0000 (17:53 -0300)
commit01f9c71312937011c4474688d3d1dd64c14731fb
tree3c0a6dac397673f4455eea645ae361447cba9a1c
parentcc8d837d5a137a14a62526dcea60af1de7a353e4
build: distribute signed sha256sums

Distribute clearsigned sha256sum file in addition to the detached
signature.

Verifies that use the sha256sum ensure that the thing signed includes
the name of the tarball. This defends the verifier by default against
a freeze, rollback, or project substitution attack.

A verifier can use something like the following (as expressed in
bash):

      set -o pipefail
      wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc}
      gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c -

See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that
thread for discussion.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Makefile.global
Makefile.local