git.notmuchmail.org Git - notmuch/commit

author	Daniel Kahn Gillmor <dkg@fifthhorseman.net>
	Sat, 23 Mar 2019 12:35:43 +0000 (13:35 +0100)
committer	David Bremner <david@tethera.net>
	Wed, 27 Mar 2019 20:53:41 +0000 (17:53 -0300)
commit	01f9c71312937011c4474688d3d1dd64c14731fb
tree	3c0a6dac397673f4455eea645ae361447cba9a1c	tree \| snapshot
parent	cc8d837d5a137a14a62526dcea60af1de7a353e4	commit \| diff

build: distribute signed sha256sums

Distribute clearsigned sha256sum file in addition to the detached
signature.

Verifies that use the sha256sum ensure that the thing signed includes
the name of the tarball. This defends the verifier by default against
a freeze, rollback, or project substitution attack.

A verifier can use something like the following (as expressed in
bash):

      set -o pipefail
      wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc}
      gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c -

See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that
thread for discussion.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Makefile.global		diff \| blob \| history
Makefile.local		diff \| blob \| history