From mboxrd@z Thu Jan 1 00:00:00 1970 From: William Roberts Subject: Re: signed tarballs Date: Thu, 13 Apr 2017 14:00:31 -0700 Message-ID: References: <20170406233134.GA32113@motoko> <3197080.UOV2hoHuAT@x2> <20170411104403.GB386@motoko> <1591540.lCI4k97X9x@x2> <20170413202811.GA18419@motoko> <20170413205649.GA19785@motoko> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2638594237517033393==" Return-path: In-Reply-To: <20170413205649.GA19785@motoko> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Christian Rebischke Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============2638594237517033393== Content-Type: multipart/alternative; boundary=f4030437a6108cc08b054d129dde --f4030437a6108cc08b054d129dde Content-Type: text/plain; charset=UTF-8 On Apr 13, 2017 13:56, "Christian Rebischke" wrote: On Thu, Apr 13, 2017 at 01:30:57PM -0700, William Roberts wrote: > That's not true, he's providing you a detached signature via this > mechanism. You just need to check the sha256sum before extraction. The problem with providing only a SHA256 hash is that the hash was provide via an insecure channel. I can't be sure that the hash is really from him because he didn't even sign his mails. Someone could spoof his mail or MITM in the webserver with the tarballs, etc etc.. Isn't the hash on the https people's page? Which last time I looked wasnt throwing cert errors in chrome. The only secure way to ensure the original content of the tarball is via signed tarballs signed by the developer. Checksums and signed tarballs are totally two different things. --f4030437a6108cc08b054d129dde Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Apr 13, 2017 13:56, "Christian Rebischke" <Chris.Rebischke@archlinux.org> wrote:

On Thu, Apr 13, 2017 at 01:30:57PM -0700, William Roberts wro= te:

> That's not true, he's providing you a detached signature via t= his
> mechanism. You just need to check the sha256sum before extraction.

The problem with providing only a SHA256 hash is that the hash was provide via an insecure channel. I can't be sure that the hash is reall= y
from him because he didn't even sign his mails. Someone could spoof his=
mail or MITM in the webserver with the tarballs, etc etc..

Isn't t= he hash on the https people's page? Which last time I looked wasnt thro= wing cert errors in chrome.

The only secure way to ensure the original content of the tarball is via signed tarballs signed by the developer.

Checksums and signed tarballs are totally two different things.

--f4030437a6108cc08b054d129dde-- --===============2638594237517033393== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2638594237517033393==--