[rb-general] [jvm] How to share rebuilder attestations

Daniel Shahaf danielsh at apache.org
Wed Jan 9 09:29:34 CET 2019

Hervé Boutemy wrote on Wed, 09 Jan 2019 08:30 +0100:
> Le lundi 7 janvier 2019, 14:39:35 CET Daniel Shahaf a écrit :
> > Once again I disagree.  A rebuilder _can_ sign the both the input
> > buildinfo file and the output buildinfo file, *provided that the
> > signature explains that difference*.
> I don't get what you mean by a signature explaining a difference: when 
> signing, is there some feature to add extra text (that would contain the 
> explanation)?

I don't know if OpenPGP has such a feature, but it doesn't matter.  You
could, do something along these lines:

% rebuild input.buildinfo --output-file-name=output.buildinfo
% if buildinfos-match input.buildinfo output.buildinfo; then
    (printf '\0'; cat input.buildinfo) | gpg --detach-sign -o input.buildinfo.attestation-asc
    (printf '\1'; cat output.buildinfo) | gpg --detach-sign -o output.buildinfo.production-asc

And yes, that's a very minimal example, but it illustrates the principle:
define a file format that securely provides the additional information.

Cryptographic signatures do exactly one thing:  they link a document to
a principal.  One can build various semantics on top of that.  For that
matter, one could define a protocol that uses cryptographic signatures
to say "I have tested the subject file and I proclaim that it contains a



More information about the rb-general mailing list