[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

On Sat, Nov 26, 2005 at 11:10:27PM -0600, Peter Samuelson wrote:
>   sha256sum () {
> (Implementation of -c left as an exercise, etc.)

Hrm, if we're writing our own thing, maybe we should do it properly:
have a single program that can do multiple hash algorithms, have the
default hash be secure, and update it in future, and so on.

gnupg comes close to being this, except for two things: it's got too
many dependencies, and it's command line arguments are overly complex. A
"gpgh" variant (like gpgv but for hashing) might work, though. It
doesn't support --check, and "gpg --print-md md5 /etc/motd" has a
different format to "md5sum /etc/motd" though.

Of course, if we're doing it "right", we probably want to have some way
of telling what hash was used, so we don't have to wonder whether a
given 160bit hash is sha1 or ripemd160 or something else that gets
cooked up in future. OpenBSD's cksum apparently does this, by having its
output be:

  MD5 (filename) = hash

That strikes me as pretty inconvenient, but cksum does do most of what we

OTOH, it would be far more convenient for *us* if it supported the
.changes style we use, ie:

    hash size filename

Then there are the encoding questions; both the one above (do we switch
from hexadeximal to something more compact for longer hashes?) and also
the question of what happens if there's a ")" or a "\n" in the filename
-- is it worth doing some sort of http-style % encoding that apt uses
in that case?

Something like this might work well:

  $ dsum -a sha1 foo; sha1sum foo
  f572d396fae9206628714fb2ce00f72e94f2258f  foo
  f572d396fae9206628714fb2ce00f72e94f2258f  foo

  $ dsum -d foo
   f572d396fae9206628714fb2ce00f72e94f2258f 6 foo

  $ dsum -b foo
  SHA1 (foo) = f572d396fae9206628714fb2ce00f72e94f2258f

  $ dsum -d foo | dsum --check; echo $?

  $ dsum -b foo | dsum --check; echo $?

Though what "dsum foo" should do is a trickier question (particularly
whether it's better to be compatible with current md5sum/sha1sum
output, or if "dsumA foo > foo.sum" and "dsumB --check < foo.sum" will
work if dsumA's default cypher is sha1 and dsumB's is ripemd160).

(Note that "dsum" would probably need to become Priority:required,
and possibly Essential:yes, with the complications that entails)


Attachment: signature.asc
Description: Digital signature

Reply to: