Please review the draft for March's report
Bernhard M. Wiedemann
bernhardout at lsmod.de
Tue Apr 6 09:22:09 UTC 2021
On 06/04/2021 02.24, Daniel Shahaf wrote:
> I don't understand from that post what's so significant about sigstore,
> even after having followed the link to upstream's press release.
I think, the problem that it tries to address is that most (90%?) of
upstreams publish just tarballs/zipfiles without a cryptographic
signature. E.g. [1]
So as a packager, I download the file and have no way to verify that I
got what the author meant to publish.
Now, if you have a third party that also downloads the file and
publishes a signature over what it got, you at least have another data
point that helps you verify that your local wifi or a rogue mirror did
not mitm your transfer or that at least everyone gets the same version
(you could call it "reproducible downloads").
If it ever happens that such a 3rd party signing key leaked, you do not
want years of signatures to become worthless => this is why they make
keys short-lived - similar to how you can make syslogs tamper-proof.
[1] https://ftp.gnu.org/gnu/autoconf/
https://avahi.org/download/
https://download.gnome.org/sources/audiofile/0.3/
http://mirror.synyx.de/apache/httpd/mod_fcgid/
More information about the rb-general
mailing list