Re: Bug#540215: Introduce dh_checksums, clear-signed checksum
On Thu, 2010-03-11 at 00:37 +0000, The Fungi wrote:
> On Wed, Mar 10, 2010 at 11:22:00PM +0100, Frank Lin PIAT wrote:
> > I made some tests, and it seems that we could allow,but not require, GPG
> > signed checksum-file. sha256sum will ignore invalid lines by default
> > (unless you specify --warn option).
> >
> > Similarly, the policy could state that GPG clear-signed shasum files are
> > allowed. Tools using shasum should still strip the signature, especially
> > when using the checksum for security purpose.
>
> Is there any good reason not to use a detached signature in a
> separate file instead? I know that doubles the number of files, but
> it also reduces the raw size by around 47 bytes and simplifies
> parsing of the checksum files themselves.
My real first question was to know if that can be useful. Plus, not
every one uses gpg-agent, and they may not like to sign each package
twice.
Regarding clearsign-versus-detached, I have no strong preference myself.
clearsigned are nice because they are self-contained, but... see your
rational.
That being said...
Stripping signature:
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
Stripping the gpg signature is not needed for sha256sum command line,
and it is "trivial", for bash/perl...
sed -n -e '/^-----\(BEGIN PGP SIGNED MESSAGE\)-----/,/^-----[^\1]/s/^[[:xdigit:]]\{32,\}\s/\0/p' testfile.asc
On disk usage:
¨¨¨¨¨¨¨¨¨¨¨¨¨¨
> echo "" > testfile
> gpg -b testfile
> gpg --clearsign testfile
> ls -l testfile*
> -rw-r--r--. 1 fpiat fpiat 1 2010-03-11 09:55 testfile
> -rw-r--r--. 1 fpiat fpiat 886 2010-03-11 09:55 testfile.asc
> -rw-r--r--. 1 fpiat fpiat 543 2010-03-11 09:55 testfile.sig
but...
> du testfile*
> 4 testfile
> 4 testfile.asc
> 4 testfile.sig
The actual on disk usage is increased, up to one disk block
Tarfile usage
¨¨¨¨¨¨¨¨¨¨¨¨¨
> tar -zcvf detached.tar.gz testfile testfile.sig
> testfile
> testfile.sig
> tar -zcvf clearsign.tar.gz testfile.asc
> testfile.asc
> ls -l *.gz
> -rw-r--r--. 1 fpiat fpiat 815 2010-03-11 10:00 clearsign.tar.gz
> -rw-r--r--. 1 fpiat fpiat 759 2010-03-11 10:00 detached.tar.gz
The archive file is increased by 47, which is marginal, compared to the
increase in size of sha256 <> md5 hash size :-(
Reply to: