On 09/19/2014 12:34 AM, Paul Wise wrote: > On Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote: > >> Finally did this: >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762153 > > Please note that you proposal to add signatures to .deb files will > break reproducible builds because the hash of the .deb will differ > depending on who signed it: > > https://wiki.debian.org/ReproducibleBuilds > > I think it would be far better to ship detached signatures in the > archive since that allows for reproducible builds and also means there > could be more than one signer (say one buildd, one Debian sponsor and > one package maintainer). I agree with pabs on this. fwiw, i'm also hoping that we can ship at least one other signature for the upstream tarball (where such a thing exists): https://bugs.debian.org/759478 We also had a discussion in the reproducible-builds BoF at DC14 about how to deal with signatures on .buildinfo files, and came to the same conclusion: that a .buildinfo file should have detached signatures, to allow for multiple (corroborative) signers: https://wiki.debian.org/ReproducibleBuilds#A.buildinfo_signatures Note that a signature over a .buildinfo file should effectively cover the digest of the built .deb files, which should creates a strong cryptographic chain if you trust the hash function. Given that we would ultimately like one or more signed .buildinfo files shipped in the archive, and that they represent a way to have an builder's signature over a .deb, i think these make the idea of an internally-signed .deb redundant. Thanks to everyone who is thinking about and working on improving the cryptographic integrity of the archive! --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature