Re: list of upstream tarball signing schemes?

To: Simon Richter <sjr@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: list of upstream tarball signing schemes?
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Fri, 13 Dec 2019 15:47:18 +0000
Message-id: <[🔎] 20191213154717.5wi2anpsezmgz3vb@yuggoth.org>
In-reply-to: <[🔎] 20191213135414.GA6708@psi5.com>
References: <[🔎] 741687795.13865.1576230935028@office.mailbox.org> <[🔎] 20191213135414.GA6708@psi5.com>

On 2019-12-13 14:54:14 +0100 (+0100), Simon Richter wrote:
> On Fri, Dec 13, 2019 at 10:55:34AM +0100, Thomas Koch wrote:
> > nix-2.3.1.tar.xz.asc - which signs the .sha256
> > nix-2.3.1.tar.xz.sha256 - which contains the hash of the tarball
> > nix-2.3.1.tar.xz
> 
> I'd grumble about this in the general direction of upstream. The
> signature is generated over a hash of the input data in any case,
> so using a hash as the input data does not gain anything, you just
> lose automatic verification.

Not only that, but blindly composing cryptographic primitives can
weaken the resulting output (for example if, in a case like this,
the input hash were to be shorter than the signing system's internal
hash... granted their HMAC in question is likely already using
SHA2-256 as well, I haven't checked).
-- 
Jeremy Stanley

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: list of upstream tarball signing schemes?
  - From: thomas@koch.ro

References:
- list of upstream tarball signing schemes?
  - From: Thomas Koch <thomas@koch.ro>
- Re: list of upstream tarball signing schemes?
  - From: Simon Richter <sjr@debian.org>

Prev by Date: Re: Debian Daily build installation fails with choosing language..
Next by Date: Bug#946701: ITP: libsyntax-keyword-dynamically-perl -- module to dynamically change the value of a variable
Previous by thread: Re: list of upstream tarball signing schemes?
Next by thread: Re: list of upstream tarball signing schemes?
Index(es):
- Date
- Thread