Verifying and checksumming new release is somewhat cumbersom

Werner Koch wk at gnupg.org
Thu Nov 26 21:10:50 CET 2020 

Hi,

and thanks for asking.

On Thu, 26 Nov 2020 19:12, john doe said:

> Is there a URL to download those sha1sums and those public keyss as  files?

The problem with sha1sums is that a single publication would be easy to
fake.  The only known countermeasure is to widely distribute them.  We
do have them on the website as you noticed, they are send out by signed
mail to several thousand subscribers, and our and other mail archives
carry the release announcement with the checksums.

No, there is no single file with the checksums because that would be a
too easy target for an attacker.

> and for the public key I could do something like:
>
> $ wget <URL-OF-PUBLIC-KEYS>
> $ gpg --import <PUBLIC-KEYS-FILES>
> $ gpg --verify *.sig

And please check the printed fingerprint against copies of the
fingerprint distributed in the same way as the checksums.  The keys are
also quite well connected in the Web-of-Trust, which can also help to to
validate them.

The advantage of the public keys and the fingerprints is that they do
not change and thus you only need to validate them once once and sign
the keys so that you can trust them in the future.

The release signing key as well as most commit signing keys are token
based and thus it is very unlikely that this key material will be
leaked.  The worst what could happen is that the build machine is
compromised by dedicated malware which swaps the to be signed data
during the build process - so we would unnoticed sign them with the real
key.  But well, that is quite advanced and enough people are building
from source and closely watch our repositories for signs of intrusion.

> I understand that for this last step I could also do:
>
> $ gpg --keyserver-options auto-key-retrieve veirfy *.sig

Don't.  For verification always use

   gpg --verify file.sig file

and check the output well.  If you need to automate this, use gpgv and
put all the trusted signing keys into a dedicated keyring.  For
automating this with gpg, I would suggest to write a gpgme based tool.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201126/68bce24c/attachment.sig>

More information about the Gnupg-users mailing list