[rb-general] [jvm] How to share rebuilder attestations
Daniel Shahaf
danielsh at apache.org
Wed Jan 9 09:29:34 CET 2019
Hervé Boutemy wrote on Wed, 09 Jan 2019 08:30 +0100:
> Le lundi 7 janvier 2019, 14:39:35 CET Daniel Shahaf a écrit :
> > Once again I disagree. A rebuilder _can_ sign the both the input
> > buildinfo file and the output buildinfo file, *provided that the
> > signature explains that difference*.
> I don't get what you mean by a signature explaining a difference: when
> signing, is there some feature to add extra text (that would contain the
> explanation)?
I don't know if OpenPGP has such a feature, but it doesn't matter. You
could, do something along these lines:
% rebuild input.buildinfo --output-file-name=output.buildinfo
% if buildinfos-match input.buildinfo output.buildinfo; then
(printf '\0'; cat input.buildinfo) | gpg --detach-sign -o input.buildinfo.attestation-asc
(printf '\1'; cat output.buildinfo) | gpg --detach-sign -o output.buildinfo.production-asc
fi
And yes, that's a very minimal example, but it illustrates the principle:
define a file format that securely provides the additional information.
Cryptographic signatures do exactly one thing: they link a document to
a principal. One can build various semantics on top of that. For that
matter, one could define a protocol that uses cryptographic signatures
to say "I have tested the subject file and I proclaim that it contains a
virus".
Cheers,
Daniel
More information about the rb-general
mailing list