[rb-general] [jvm] How to share rebuilder attestations
Hervé Boutemy
hboutemy at apache.org
Wed Jan 9 08:30:50 CET 2019
Le lundi 7 janvier 2019, 14:39:35 CET Daniel Shahaf a écrit :
> > > - What exactly gets PGP-signed? (The binary artifact? The buildinfo?
> > >
> > > If the latter, how does one then establish trust in the binary
> > > artifact?)
> >
> > good question:
> > the rebuilders's buildinfo, for sure, gets signed by the rebuilder
> > Signing the binary artifact could make sense, but the workflow for that
> > may
> > not be easy...
> > Signing the original buildinfo file to me does not really make sense: if
> > we
> > sign an existing file, IMHO it's better to go with the binary artifact
>
> Once again I disagree. A rebuilder _can_ sign the both the input
> buildinfo file and the output buildinfo file, *provided that the
> signature explains that difference*.
I don't get what you mean by a signature explaining a difference: when
signing, is there some feature to add extra text (that would contain the
explanation)?
> For example, suppose I get this
> input buildinfo file:
>
> # File A: input buildinfo
> Package-filename: hello-1.0.tar.xz
> Checksum:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Build-on:
> FreeBSD
>
> then I rebuild and produce some binary package (not shown) and an output
> buildinfo file:
>
> # File B: output buildinfo
> Package-filename: hello-1.0.tar.xz
> Checksum:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Build-on:
> Debian
>
> then there is nothing stopping me from signing a statement to the effect
> of "I have successfully rebuilt File A, a buildinfo file whose full
> contents is <such and such>". The data model simply needs to be
> designed in such a way that verifiers know whether a signature on a
> buildinfo file means that I _produced_ it or that I _attest_ to it.
>
> Of course, even if I attest-sign File A, I should still produced-sign
> File B.
>
> Cheers,
>
> Daniel
> _______________________________________________
> rb-general at lists.reproducible-builds.org mailing list
>
> To change your subscription options, visit
> https://lists.reproducible-builds.org/listinfo/rb-general.
>
> To unsubscribe, send an email to
> rb-general-unsubscribe at lists.reproducible-builds.org.
More information about the rb-general
mailing list