You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Richard 'Richard42' Goedeken, Jon 'wahrhaft' Ring, Marianne 'Auria' Gagnon, Milan Nikolic, mupen...@googlegroups.com
Hi,
Would it be possible to get signatures for the (future?) source tarballs (I am
personally mostly interested in the modular source tarballs)? The idea is to
allow distributions to check the integrity and authenticity of tarballs.
In the past numerous file distribution servers were attacked [1,2,3,4,5,6] and
the attacker replaced a release tarball/zip with a modificated version
including a backdoor. Usually the distributions use some kind of signatures to
avoid such an attack against their own infrastructure but this doesn't include
the initial retrieval of the source code from upstream (usually done through
the tarballs).
In the near future Debian/Ubuntu/... will get support [7] in uscan to check a
tarball+.asc signature automatically against a predefined set of public keys
stored in the .debian.tar.gz. It also looks like some people in Arch Linux are
also interested in this problem [8].
Upstream would have to provide a detached, armored signature next to the
tarball. Many people are already distributing something like this but not
everybody.
Of course, this doesn't help against replay attacks (attacker replaces a new
version tarball and the signature with an older version which includes a
security hole). But this can usually be detected by the packager when checking
the upstream changelog and version number.
I have no idea what opinion each maintainer has about GnuPG/PGP but asking
doesn't hurt anyone and it seemed to be a good time because the big 2.0
release is knocking on the door.
And just for anyone thinking about creating a GPG signature key [9]: Please
keep in mind that a weak signature algorithm doesn't help anyone.
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to mupen...@googlegroups.com
I'm willing to sign the source module archives. Do I need to post or send my
public key somewhere?
Richard
Sven Eckelmann
unread,
Jun 8, 2013, 2:22:55 AM6/8/13
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to mupen...@googlegroups.com, Richard Goedeken
On Friday 07 June 2013 21:47:26 Richard Goedeken wrote:
> I'm willing to sign the source module archives. Do I need to post or send
> my public key somewhere?
To make checking possible for the public, it would need to be public
available. This is usually done through a keyserver (see the last step in the
Debian example [1]). Not doing it is mostly useless because you have to upload
the key somewhere and somebody can just download it from their and upload it
to a keyserver (even on accident).
It would be nice when you post the fingerprint of the key here so I can
include it in the Debian package. I will not sign it with my key because I
couldn't check your identity in person using a document which I except. But I
will do the recommended checks by OpenSUSE before including it in the package.
The identity check is not needed for the package because the package will only
need to check whether the same key always signs the releases (and cross the
finger that his private key wasn't public available or otherwise compromised).
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to mupen...@googlegroups.com, Jon 'wahrhaft' Ring, Marianne 'Auria' Gagnon, Milan Nikolic
Hi wahrhaft, Auria, gen2brain,
On Friday 07 June 2013 18:54:12 Sven Eckelmann wrote:
> Would it be possible to get signatures for the (future?) source tarballs (I
> am personally mostly interested in the modular source tarballs)? The idea
> is to allow distributions to check the integrity and authenticity of
> tarballs.
[....]
any reactions/questions/answers/... from the other maintainers?
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to mupen...@googlegroups.com
Hi,
I can sign but something remains unclear to me, probably because I'm
not familiar with the packaging process : do you have a key server, or
you're just collecting the public keys?
-- Auria
Sven Eckelmann
unread,
Jun 23, 2013, 5:15:18 PM6/23/13
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to mupen...@googlegroups.com, mmg
On Sunday 23 June 2013 17:00:26 mmg wrote:
> Hi,
>
> I can sign but something remains unclear to me, probably because I'm
> not familiar with the packaging process : do you have a key server, or
> you're just collecting the public keys?
The packagers will "collect" (retreived for example through a keyserver) the
public keys and store them in a keyring associated with the package. Just
comparing a signature with public keys from a keyserver doesn't help much
because an attacked could just sign a tarball with a faked/own key and replace
the old signature.
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to mupen...@googlegroups.com
Sven,
I have uploaded a source tarball for each of the released Mupen64Plus v2.0
modules into its Bitbucket repo's downloads page. I have also uploaded the
signature for each module to the same place. The fingerprint for my key is: