Re: Revival of the signed debs discussion

To: debian-devel@lists.debian.org
Cc: wk@gnupg.org
Subject: Re: Revival of the signed debs discussion
From: Matthias Urlichs <smurf@smurf.noris.de>
Date: Wed, 3 Dec 2003 12:08:10 +0100
Message-id: <[🔎] 20031203110809.GA29957@play.smurf.noris.de>
In-reply-to: <[🔎] 20031203104109.GB30785@grep.be>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 1070384670.5053.14.camel@worldmusic.grep.be> <[🔎] 20031202184220.GA23655@khazad-dum.debian.net> <[🔎] pan.2003.12.02.21.16.29.11062@smurf.noris.de> <[🔎] 20031203104109.GB30785@grep.be>

Hi,

[ I'm Cc-ing Werner Koch on this ]

Wouter Verhelst:
> On Tue, Dec 02, 2003 at 10:16:32PM +0100, Matthias Urlichs wrote:
> > Hi, Henrique de Moraes Holschuh wrote:
> > 
> > > On Tue, 02 Dec 2003, Wouter Verhelst wrote:
> > >> So unless you have a suggestion that would solve this particular issue,
> > >> I'm afraid this idea won't work in practice.
> > > 
> > > We could verify if the gpg agent (gpa? I forget the name...) cannot do this
> > > over a secure channel. It should be able to, and if not, it can probably be
> > > taught to.
> > 
> > It's not that easy (basically you need to tunnel the actual
> > encryprion/signing function, not just the passphrase-getting).
> > See ssh-agent as an example.
> > 
> > The good thing is that people are already thinking about this.
> > 
> > http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017920.html
> 
> Well, implemented as Werner suggests in that message would require me to
> send the actual .deb over the line. I won't do that,

... and it doesn't make sense, since ...

> As I understand it, an OpenPGP signature is an encrypted hash or
> something similar of the actual data. It would be feasible if the
> signature algorithm would allow for hashing the data on the remote
> machine, and signing that hash locally.
> 
... that would work. It'd probably require a few hooks within GPG
to generate a hash packet / .

> Then again, we could do such things right now. Wouldn't it be more
> interesting to gpg-sign md5sums of control.tar.gz and data.tar.gz?

That makes a lot of sense; you can then compare md5sums independently.
You can't directly compare detached signatures: they're timestamped and
contain random data, AFAIK.

Still, sending the to-be-signed file across the wire doesn't make sense.

> Especially in the case of larger .debs, that would probably reduce the
> actual signature size as well...

?? A hash is a hash, and should be independent of file size.

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  smurf@smurf.noris.de
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
 - -
REAL PROGRAMMERS don't write in Pascal, Mesa, Ada or any of those other pinko
  computer science languages. Strong typing is for people with weak memories.

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Wouter Verhelst <wouter@grep.be>
- Re: Revival of the signed debs discussion
  - From: Werner Koch <wk@gnupg.org>

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Wouter Verhelst <wouter@grep.be>
- Re: Revival of the signed debs discussion
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Matthias Urlichs <smurf@smurf.noris.de>
- Re: Revival of the signed debs discussion
  - From: Wouter Verhelst <wouter@grep.be>

Prev by Date: Re: Backport of the integer overflow in the brk system call
Next by Date: Re: Backport of the integer overflow in the brk system call
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread