build: distribute signed sha256sums
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Sat, 23 Mar 2019 12:35:43 +0000 (13:35 +0100)
committerDavid Bremner <david@tethera.net>
Wed, 27 Mar 2019 20:53:41 +0000 (17:53 -0300)
Distribute clearsigned sha256sum file in addition to the detached
signature.

Verifies that use the sha256sum ensure that the thing signed includes
the name of the tarball. This defends the verifier by default against
a freeze, rollback, or project substitution attack.

A verifier can use something like the following (as expressed in
bash):

      set -o pipefail
      wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc}
      gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c -

See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that
thread for discussion.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Makefile.global
Makefile.local

index 6e17494a5949a934f03e2ed5696c24490b8f290c..27c82433770fdbc67e10ce5582cf948a871a4e82 100644 (file)
@@ -43,7 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases
 TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
 ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
 DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA256_FILE=$(TAR_FILE).sha256
+SHA256_FILE=$(TAR_FILE).sha256.asc
 GPG_FILE=$(TAR_FILE).asc
 
 PV_FILE=bindings/python/notmuch/version.py
index 8535844aca43061c0f8ebbf73a6cf2aba664752c..eb5995651cc31c2dd67448aab2921f92b6bc5268 100644 (file)
@@ -40,7 +40,7 @@ $(TAR_FILE):
        @echo "Source is ready for release in $(TAR_FILE)"
 
 $(SHA256_FILE): $(TAR_FILE)
-       sha256sum $^ > $@
+       sha256sum $^ | gpg --clear-sign --output $@ -
 
 $(GPG_FILE): $(TAR_FILE)
        gpg --armor --detach-sign $^