[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Need better release validation documentation/strategy.
From: |
Bob Friesenhahn |
Subject: |
Re: Need better release validation documentation/strategy. |
Date: |
Sat, 9 Apr 2022 09:36:22 -0500 (CDT) |
User-agent: |
Alpine 2.20 (GSO 67 2015-01-07) |
On Fri, 8 Apr 2022, ckeader wrote:
The key server network as we knew it is dead and buried, and I would not
expect any of them to provide complete or indeed reliable information.
This article explains why:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f.
There was some discussion at the time over on gnupg-users also.
This was facinating reading, and I was not aware of any of it before.
Unfortunately, I have not figured out how to follow its advice yet.
Everything related to OpenPGP is extremely obtuse with massive amounts
of documentation.
OpenSSH 8 and later offer a facility which allows validating a file's
origin and integrity given a certificate (see
https://www.agwa.name/blog/post/ssh_signatures). I gave this a try and
it was remarkably simple. It is several orders of magnitude less
complex than OpenPGP and many people use OpenSSH. Unfortunately, not
all systems have OpenSSH 8 yet (or will ever have OpenSSH). Another
issue is that users could be confused by ".sig" files and won't know
if they should use OpenSSH or gpg to validate with them without
looking at the content.
Providing the signer's pub keys on a (secured) web site seems to be the
best option for now.
I have been using several mechanisms, including an insecure URL link
as is shown in my email signature text.
An important question has not been asked yet, IMHO - why are maintainers
using this relatively obscure method for hashing?
Yes, this is very obscure and it defeats the purpose, which should be
to encourage verification.
Bob
--
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt