From 01f9c71312937011c4474688d3d1dd64c14731fb Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 23 Mar 2019 13:35:43 +0100 Subject: [PATCH] build: distribute signed sha256sums Distribute clearsigned sha256sum file in addition to the detached signature. Verifies that use the sha256sum ensure that the thing signed includes the name of the tarball. This defends the verifier by default against a freeze, rollback, or project substitution attack. A verifier can use something like the following (as expressed in bash): set -o pipefail wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc} gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c - See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that thread for discussion. Signed-off-by: Daniel Kahn Gillmor --- Makefile.global | 2 +- Makefile.local | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile.global b/Makefile.global index 6e17494a..27c82433 100644 --- a/Makefile.global +++ b/Makefile.global @@ -43,7 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz -SHA256_FILE=$(TAR_FILE).sha256 +SHA256_FILE=$(TAR_FILE).sha256.asc GPG_FILE=$(TAR_FILE).asc PV_FILE=bindings/python/notmuch/version.py diff --git a/Makefile.local b/Makefile.local index 8535844a..eb599565 100644 --- a/Makefile.local +++ b/Makefile.local @@ -40,7 +40,7 @@ $(TAR_FILE): @echo "Source is ready for release in $(TAR_FILE)" $(SHA256_FILE): $(TAR_FILE) - sha256sum $^ > $@ + sha256sum $^ | gpg --clear-sign --output $@ - $(GPG_FILE): $(TAR_FILE) gpg --armor --detach-sign $^ -- 2.43.0