[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

[Anthony Towns]
> gnupg comes close to being this, except for two things: it's got too
> many dependencies, and it's command line arguments are overly
> complex.  A "gpgh" variant (like gpgv but for hashing) might work,
> though. It doesn't support --check, and "gpg --print-md md5
> /etc/motd" has a different format to "md5sum /etc/motd" though.

I think it's important to support md5sum/sha1sum format, in cases where
md5 or sha1 are used, so people can conveniently use --check with their
existing binaries.  That might be just me, though.

> Of course, if we're doing it "right", we probably want to have some
> way of telling what hash was used, so we don't have to wonder whether
> a given 160bit hash is sha1 or ripemd160 or something else that gets
> cooked up in future.

For large files, getting a cryptographic checksum is more about reading
blocks off the disk than about CPU time.  So it wouldn't be completely
ridiculous to allow sha-1 to remain ambiguous with competing 160-bit
hashes, and have --check check for all of them (reading the file only

I still think two-byte prefixes for non-md5-non-sha1 hashes makes some
sense, like s- for sha-256.  Avoids the filename encoding issue you
mentioned later (unless we want to encode newlines).

> OTOH, it would be far more convenient for *us* if it supported the
> .changes style we use, ie:
>   MD5Sum:
>     hash size filename

This might be generally reasonable, but we do want our dsum tool to
work with arbitrary MD5SUMS style files.  And if such files require a
hash-type header, dsum will have to produce one, at least optionally.
I really like the default behavior of our existing md5sum outputting
just a single line per file, and nothing more.

>   $ dsum -a sha1 foo; sha1sum foo
>   f572d396fae9206628714fb2ce00f72e94f2258f  foo
>   f572d396fae9206628714fb2ce00f72e94f2258f  foo
>   $ dsum -d foo
>   SHA1Sum:
>    f572d396fae9206628714fb2ce00f72e94f2258f 6 foo
>   $ dsum -b foo
>   SHA1 (foo) = f572d396fae9206628714fb2ce00f72e94f2258f

What's the " 6 " above?  Surely not a hollerith-like string.  Other
than that, I like your proposed command line quite a lot.

> (Note that "dsum" would probably need to become Priority:required,
> and possibly Essential:yes, with the complications that entails)

Hmmm, promoting libgcrypt11 + libgpg-error0 to Required adds 516 kB on
i386, plus a trivial amount for dsum itself.  I wonder if it'd be
better to just copy / paste the algorithm code into dsum.

Attachment: signature.asc
Description: Digital signature

Reply to: