Please PGP-sign releases
Denys Vlasenko
vda.linux at googlemail.com
Tue Jun 5 16:05:25 UTC 2018
On Thu, May 24, 2018 at 3:54 PM, Eli Schwartz <eschwartz at archlinux.org> wrote:
> Currently busybox distributes the file
> https://busybox.net/downloads/busybox-1.28.4.tar.bz2.sign which is an
> armored plaintext file containing inline md5sums/sha1sums in a sea of
> text which cannot be easily parsed by e.g. distro packaging tooling.
> (FWIW, I'm a distro packager who would like to use signatures of the
> tarball itself.)
>
> It would be far more efficient IMHO to simply sign the release tarball
> itself, so it could be directly verified.
>
> This would be as simple as replacing "signit" in
> https://git.busybox.net/busybox/tree/scripts/bb_release with `gpg
> --detach-sign`
>
> If there's any interest in providing checksums as well, this would best
> be provided with e.g. standard file.sha256 files containing *just* the
> output of the relevant coreutils checksumming command, which can be used
> directly as input to said command when verifying rather than first
> manually parsing the file contents.
>
> ...
>
> As a separate issue, the current signing key is dsa1024 which is
> extremely old and not considered to be secure. It would be in general a
> good idea to create a new rsa4096 key and use that going forward.
Can you expand on this? I'm no distro maintainer and have absolutely
zero idea what would be the most comfortable for you guys.
More information about the busybox
mailing list