On 02/23/2016 04:49 PM, Nicolas George wrote: > Le quintidi 5 ventôse, an CCXXIV, Thomas Schmitt a écrit : >> If the SHA512SUMS.sign > > Stop right there. Signing a bunch of hashes is a beginner's mistake, I have > already emphasized that in this thread. You have _emphasized_ it, but you haven't _explained_ it, nor provided any search term one could use to look up an explanation for it. > It is rather sad that Debian made that mistake. Why is what Debian does a mistake? Debian stores both the hash value and the file size in the Packages, Sources and Release files. (Packages references e.g. the .deb packages, Release references the "Packages" file and Release itself is signed.) Assuming that there's no feasible preimage attack against the hash function, and the file containing the hashes + sizes is signed via GnuPG, how is that problematic, as long as you check everything along the way? Also note that the Tor project (and I believe they do know something about security) uses hash lists for reproducibility: https://www.torproject.org/docs/verifying-signatures.html.en (To be fair, they also sign each file individually, but the instructions to verify builds w.r.t. reproducibility specifically talk about hash lists.) Also, note: http://crypto.stackexchange.com/questions/24224/signing-files-vs-signing-file-hashes The person writing the top answer to that question has his own blog about cryptography: https://www.chosenplaintext.ca/ Since what you are talking about is apparently non-obvious to people who do crypto for a living, your characterization of _beginner's_ mistake is definitely wrong. If it's a mistake, it's apparently a highly non-trivial one. Therefore, could you please provide some reasoning for your claim that what Debian does is a mistake? Regards, Christian
Attachment:
signature.asc
Description: OpenPGP digital signature