Page MenuHomePhabricator

create checksums for enlightenment releases
Open, Pending on user inputPublic

Description

Seems the release tarballs of enlightenment are missing a checksum. Need to see about generating such. Thanks!

zmike triaged this task as Pending on user input priority.Sep 13 2017, 4:23 AM
zmike edited projects, added enlightenment-git; removed Restricted Project.
zmike added a subscriber: zmike.

I guess this means you're looking for a file with the checksum or?

Yes, some users wanted a checksum file with e releases for verification purposes. Seems only EFL gets a manifest at this time. I was not aware at that time it was only done for select things, I think EFL only.

Yeah but for it to be really useful you also have to also sign that checksum with a gpg key and upload the signature as well. If you have those things you can teach build systems like openSUSE's to automatically verify that the package is valid and created by the right person.

A random example of a project that does this correctly should you want to copy it is cmake https://cmake.org/files/v3.9/ note https://cmake.org/files/v3.9/cmake-3.9.2-SHA-256.txt and https://cmake.org/files/v3.9/cmake-3.9.2-SHA-256.txt.asc

If you need help setting up a gpg key and signing checkout https://keybase.io/ it makes the process pretty easy. (If you still need a invite which I don't think you do I have several)

I brought up GPG key signing on edevel list and it was not well received and knocked down. SSH is good enough. I digress, but that was the final call. If things change that would be great, I gpg sign every commit. I fully support gpg signing for releases if not commits, ideally both. Maybe others are open to gpg signing releases. But at that point could just go ahead and gpg sign commits.

I tried to get gpg signing to be done at the dev days gathering. I do not believe they did that. A gpg key without signatures and web of trust is pretty moot. Though we could likely get around this. Best to always verify in person, with hopefully legit ID/Passport. Though those are easily counterfeited.

Many projects do not do gpg signing. I am not sure I have come across many if any that gpg signed checksums. Mostly a way for others to vet against upstream. I am not sure there is as much concern over the checksum being changed on E severs. Thus gpg signing maybe hard to justify to others even for releases.

In T5905#98405, @wltjr wrote:

I brought up GPG key signing on edevel list and it was not well received and knocked down. SSH is good enough. I digress, but that was the final call. If things change that would be great, I gpg sign every commit. I fully support gpg signing for releases if not commits, ideally both. Maybe others are open to gpg signing releases. But at that point could just go ahead and gpg sign commits.

I tried to get gpg signing to be done at the dev days gathering. I do not believe they did that. A gpg key without signatures and web of trust is pretty moot. Though we could likely get around this. Best to always verify in person, with hopefully legit ID/Passport. Though those are easily counterfeited.

Many projects do not do gpg signing. I am not sure I have come across many if any that gpg signed checksums. Mostly a way for others to vet against upstream. I am not sure there is as much concern over the checksum being changed on E severs. Thus gpg signing maybe hard to justify to others even for releases.

I am only talking about signing the checksum, adding a checksum and not signing it is pretty much pointless, someone can man in the middle both the tarball and checksum to match, they cannot do that with the signature of the checksum. It doesn't really matter who signs the checksum and how trusted they are once the checksum is signed by a known key it prevents anyone from tampering with both the tarball and checksum.

I am by no means suggesting we should start signing commits etc (although I do sign mine) signing the checksum file is different if your not going to sign it, it may as well not be there from a security point of view (which is exactly why its asked for)

That seems like a justifiable case. Hopefully others will be on board with that.

beber added a subscriber: beber.Oct 2 2017, 2:01 PM