[rb-general] [jvm] How to share rebuilder attestations

Hervé Boutemy hboutemy at apache.org
Wed Jan 9 08:30:50 CET 2019 

Le lundi 7 janvier 2019, 14:39:35 CET Daniel Shahaf a écrit :
> > > - What exactly gets PGP-signed?  (The binary artifact?  The buildinfo?
> > > 
> > >   If the latter, how does one then establish trust in the binary
> > >   artifact?)
> > 
> > good question:
> > the rebuilders's buildinfo, for sure, gets signed by the rebuilder
> > Signing the binary artifact could make sense, but the workflow for that
> > may
> > not be easy...
> > Signing the original buildinfo file to me does not really make sense: if
> > we
> > sign an existing file, IMHO it's better to go with the binary artifact
> 
> Once again I disagree.  A rebuilder _can_ sign the both the input
> buildinfo file and the output buildinfo file, *provided that the
> signature explains that difference*.
I don't get what you mean by a signature explaining a difference: when 
signing, is there some feature to add extra text (that would contain the 
explanation)?

> For example, suppose I get this
> input buildinfo file:
> 
>     # File A: input buildinfo
>     Package-filename: hello-1.0.tar.xz
>     Checksum:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Build-on:
> FreeBSD
> 
> then I rebuild and produce some binary package (not shown) and an output
> buildinfo file:
> 
>     # File B: output buildinfo
>     Package-filename: hello-1.0.tar.xz
>     Checksum:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Build-on:
> Debian
> 
> then there is nothing stopping me from signing a statement to the effect
> of "I have successfully rebuilt File A, a buildinfo file whose full
> contents is <such and such>".  The data model simply needs to be
> designed in such a way that verifiers know whether a signature on a
> buildinfo file means that I _produced_ it or that I _attest_ to it.
> 
> Of course, even if I attest-sign File A, I should still produced-sign
> File B.
> 
> Cheers,
> 
> Daniel
> _______________________________________________
> rb-general at lists.reproducible-builds.org mailing list
> 
> To change your subscription options, visit
> https://lists.reproducible-builds.org/listinfo/rb-general.
> 
> To unsubscribe, send an email to
> rb-general-unsubscribe at lists.reproducible-builds.org.

More information about the rb-general mailing list