[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#540215: Introduce dh_checksums, clear-signed checksum

On Thu, 2010-03-11 at 00:37 +0000, The Fungi wrote:
> On Wed, Mar 10, 2010 at 11:22:00PM +0100, Frank Lin PIAT wrote:
> > I made some tests, and it seems that we could allow,but not require, GPG
> > signed checksum-file. sha256sum will ignore invalid lines by default
> > (unless you specify --warn option).
> > 
> > Similarly, the policy could state that GPG clear-signed shasum files are
> > allowed. Tools using shasum should still strip the signature, especially
> > when using the checksum for security purpose.
> 
> Is there any good reason not to use a detached signature in a
> separate file instead? I know that doubles the number of files, but
> it also reduces the raw size by around 47 bytes and simplifies
> parsing of the checksum files themselves.

My real first question was to know if that can be useful. Plus, not
every one uses gpg-agent, and they may not like to sign each package
twice.

Regarding clearsign-versus-detached, I have no strong preference myself.
clearsigned are nice because they are self-contained, but... see your
rational.


That being said...

Stripping signature:
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
Stripping the gpg signature is not needed for sha256sum command line,
and it is "trivial", for bash/perl...
  sed -n -e '/^-----\(BEGIN PGP SIGNED MESSAGE\)-----/,/^-----[^\1]/s/^[[:xdigit:]]\{32,\}\s/\0/p' testfile.asc



On disk usage:
¨¨¨¨¨¨¨¨¨¨¨¨¨¨
> echo "" > testfile
> gpg -b testfile
> gpg --clearsign testfile

> ls -l testfile*
> -rw-r--r--. 1 fpiat fpiat   1 2010-03-11 09:55 testfile
> -rw-r--r--. 1 fpiat fpiat 886 2010-03-11 09:55 testfile.asc
> -rw-r--r--. 1 fpiat fpiat 543 2010-03-11 09:55 testfile.sig

but...

> du testfile*
> 4	testfile
> 4	testfile.asc
> 4	testfile.sig

The actual on disk usage is increased, up to one disk block

Tarfile usage
¨¨¨¨¨¨¨¨¨¨¨¨¨
> tar -zcvf detached.tar.gz testfile testfile.sig
> testfile
> testfile.sig

> tar -zcvf clearsign.tar.gz testfile.asc
> testfile.asc

> ls -l *.gz
> -rw-r--r--. 1 fpiat fpiat 815 2010-03-11 10:00 clearsign.tar.gz
> -rw-r--r--. 1 fpiat fpiat 759 2010-03-11 10:00 detached.tar.gz

The archive file is increased by 47, which is marginal, compared to the
increase in size of sha256 <> md5 hash size :-(
Reply to: