Re: use signed git tags to verify upstream tarball

To: debian-devel@lists.debian.org
Subject: Re: use signed git tags to verify upstream tarball
From: Danny Edel <debian@danny-edel.de>
Date: Fri, 21 Aug 2015 14:17:11 +0200
Message-id: <[🔎] 55D716C7.5040607@danny-edel.de>
In-reply-to: <[🔎] 3196727.ARkv6yQFuD@x121e>
References: <[🔎] 3196727.ARkv6yQFuD@x121e>

On 21/08/15 11:12, Thomas Koch wrote:
> Sometimes we are lucky and upstream uses signed git tags. That still does not 
> help us to verify the orig.tar.gz. It can however still be very useful.
> 

Hi Thomas,

In case you're intrested, I've tried to reproduce a "git archive" style
tarball (for example, as generated by github) from a gpg-signed tag.

This should at least imply some kind of trust.

Basically do (assuming you have some WOT toward the signer's key)

(1) git clone

(2) git tag --verify v1.31

(3) git archive v1.31 --prefix="projectname-1.31/" --format=tar | gzip
-n > projectname-1.31.tar.gz

The produced tarball will be exactly the same as the github-generated
tarball, so if you use this as .orig.tar.gz, embedding the checksum into
your signed debian-changes file, you can use github's mirror safely and
should not have to worry about man-in-the-middle attacks.

Since you now have a direct correlation between signed+verified tag and
(locally, on your trusted system, regenerated) orig.tar.gz from this
very tag, does this help?

- Danny

Reply to:

References:
- use signed git tags to verify upstream tarball
  - From: Thomas Koch <thomas@koch.ro>

Prev by Date: Bug#796337: ITP: node-cross-spawn-async -- Cross platform child_process#spawn
Next by Date: Bug#796363: ITP: libsis-base-java -- supplies some utility classes needed for libraries like sis-jhdf5
Previous by thread: use signed git tags to verify upstream tarball
Next by thread: Bug#796337: ITP: node-cross-spawn-async -- Cross platform child_process#spawn
Index(es):
- Date
- Thread