From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christian Rebischke Subject: Re: signed tarballs Date: Thu, 13 Apr 2017 22:56:49 +0200 Message-ID: <20170413205649.GA19785@motoko> References: <20170406233134.GA32113@motoko> <3197080.UOV2hoHuAT@x2> <20170411104403.GB386@motoko> <1591540.lCI4k97X9x@x2> <20170413202811.GA18419@motoko> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1470649272596076111==" Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 27C4018AB7 for ; Thu, 13 Apr 2017 20:56:57 +0000 (UTC) Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AF0D014BFD4 for ; Thu, 13 Apr 2017 20:56:55 +0000 (UTC) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: William Roberts Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1470649272596076111== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 13, 2017 at 01:30:57PM -0700, William Roberts wrote: > That's not true, he's providing you a detached signature via this > mechanism. You just need to check the sha256sum before extraction. The problem with providing only a SHA256 hash is that the hash was provide via an insecure channel. I can't be sure that the hash is really =66rom him because he didn't even sign his mails. Someone could spoof his mail or MITM in the webserver with the tarballs, etc etc.. The only secure way to ensure the original content of the tarball is via signed tarballs signed by the developer. Checksums and signed tarballs are totally two different things. --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEba97gI+d8lE5YgAA0hRh49/iBg0FAljv5hEACgkQ0hRh49/i Bg11eBAAuZ/6ESUYkHTCDWZmLxn9BnrALDWhVLeeiFFK6PNPGUmtvafJ0ujO6nzT MPvtjcw8G2HIPsbwtWpSjTV6oJffbxypCOXGBpgGVz9LLF0A0PqJ6V/GgJ6WUoEi vbiKLQGeqb7CshzIt3nvvZB8VJbxnTKCrjluDdHPhYatwafBYgQAQRTuFZEkQw6g Iy07hmz+O2FMnTW0oRA5JPZN4cpknmguftz0wUX7gAgjI8m9kTPi95eBWZbqzdfP qsn0H2F8gMql5wtinyMqiGX8kJnD3haMHaoV01PP2PP8GwTSpFVM5upsS2QPhdKi oNErySwa/MDOGGBsTRv1R8MXBXPICcOKWDxyhQIWMkeLSuY2x85b/EHzZb5Yrmw5 kFCILg1Hm6ouPMMjwXauVyGGVHghaSqwYlj4VLnfuNujsi/0yIsNOMgx75DZ0sEb ZoUfu/bCJJ6DS5vKjsOrW4bzzzzje8FFHmgmoFSlbi3FhhvndVe40U58KeO6scR+ yXoCxclg7HzVhlD5Iz9fKEdFHCa4qLZIAqRMmqCh6DYwg4u7Y+SMlA3nv3mawkAr 3pnWo7Up6F0H0izpVcqCGEEeiIiRzCU5fUJ/JFHKt2StwoQcfvOZKd1DctwpVQxY eJeo7XumaUREpDzwKwg4Wqli+pTTcXcreN8kuIDxoLhrIe7PRog= =kb6u -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr-- --===============1470649272596076111== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1470649272596076111==--