[Gnu-arch-users] signatures and checking

[Tom Lord]

Several people have all agreed that the correct thing to do with
signed checksum files is to ask gpg to print the signed content to
stdout and to use that output rather than the contents of the file
when parsing checksum data.

They point out that, for example, gpg might perform some kind of
quoting on the checksum data and that quoting can only be reliably
reversed by asking GPG to make the reversal.

I believe that that view is incorrect, though I'd like some feedback
about my opinion in case I've missed something obvious.

I would like checksum files to have the following properties:

1. Checksum data can be reliably extracted from them by tla 
   _even_if_ the user has no ~/.arch-params/.../*.check file
   for the relevent archive.


2. They are "all in one" -- tla can read them, along with the 
   signature, in a single file-fetch from the archive.
   In other words, detached signatures are not an option.


Now, to be sure, an _arbitrary_ signing program can not be used and
satisfy these constraints.   For example, a hypothetical `bizarro-gpg' 
whose --clearsign output is always in UTF-16le would not do.

And an _arbitrary_ checksum data syntax can not be used with
these constraints.   For example, if the checksum data syntax
included lines of the form 

  -----BEGIN PGP SIGNED MESSAGE-----

then all heck would break loose.


But in reality, we don't _need_ an arbitrary `bizarro-gpg' to work.

And in reality, our checksum data syntax is extremely conservative and
draws on a very limited character set.   One would have to work really
hard to design a signing program that would be incompatible.

So I'm back to thinking that the right short term fix for the security
issue is just to provide, say, an awk script that users can use
instead of calling gpg (or agpg or whatever) directly in their .check
files.

And the right long-term fix is to ask for a new option in gpg.

-t