Please review the draft for March's report

Bernhard M. Wiedemann bernhardout at lsmod.de
Tue Apr 6 09:22:09 UTC 2021


On 06/04/2021 02.24, Daniel Shahaf wrote:
> I don't understand from that post what's so significant about sigstore,
> even after having followed the link to upstream's press release.  

I think, the problem that it tries to address is that most (90%?) of
upstreams publish just tarballs/zipfiles without a cryptographic
signature. E.g. [1]
So as a packager, I download the file and have no way to verify that I
got what the author meant to publish.

Now, if you have a third party that also downloads the file and
publishes a signature over what it got, you at least have another data
point that helps you verify that your local wifi or a rogue mirror did
not mitm your transfer or that at least everyone gets the same version
(you could call it "reproducible downloads").

If it ever happens that such a 3rd party signing key leaked, you do not
want years of signatures to become worthless => this is why they make
keys short-lived - similar to how you can make syslogs tamper-proof.


[1]  https://ftp.gnu.org/gnu/autoconf/
     https://avahi.org/download/
     https://download.gnome.org/sources/audiofile/0.3/
     http://mirror.synyx.de/apache/httpd/mod_fcgid/


More information about the rb-general mailing list