Verifying and checksumming new release is somewhat cumbersom
johndoe65534 at mail.com
Sat Nov 28 07:57:05 CET 2020
On 11/26/2020 9:10 PM, Werner Koch wrote:
> and thanks for asking.
Thanks for this.
To be sure that I understand you correctly, I took the liberty of
rewording your answers.
> On Thu, 26 Nov 2020 19:12, john doe said:
>> Is there a URL to download those sha1sums and those public keyss as files?
> The problem with sha1sums is that a single publication would be easy to
> fake. The only known countermeasure is to widely distribute them. We
> do have them on the website as you noticed, they are send out by signed
> mail to several thousand subscribers, and our and other mail archives
> carry the release announcement with the checksums.
If I look at Debian (1) for example, the checksum file is gpg signed.
Assuming that I understand correctly, the Debian approach is not a safe
way to make the checksums available?propagate?
> No, there is no single file with the checksums because that would be a
> too easy target for an attacker.
Even if the file would be gpg signed?
>> and for the public key I could do something like:
>> $ wget <URL-OF-PUBLIC-KEYS>
>> $ gpg --import <PUBLIC-KEYS-FILES>
>> $ gpg --verify *.sig
> And please check the printed fingerprint against copies of the
> fingerprint distributed in the same way as the checksums. The keys are
> also quite well connected in the Web-of-Trust, which can also help to to
> validate them.
You mean by checking if the fingerprint of the downloaded keys match
the one listed on the web site?
> The advantage of the public keys and the fingerprints is that they do
> not change and thus you only need to validate them once once and sign
> the keys so that you can trust them in the future.
Okay, if the fingerprints matches I should sign the keys with mine.
>> I understand that for this last step I could also do:
>> $ gpg --keyserver-options auto-key-retrieve veirfy *.sig
> Don't. For verification always use
> gpg --verify file.sig file
Okay, won't do that anymore.
> and check the output well. If you need to automate this, use gpgv and
> put all the trusted signing keys into a dedicated keyring. For
> automating this with gpg, I would suggest to write a gpgme based tool.
If I want to verify a new release,:
- Manually: take advantage of gpgv
- Unattended: use a wrapper around gpgme
Your input is much appriciated.
More information about the Gnupg-users