build: distribute signed sha256sums

Distribute clearsigned sha256sum file in addition to the detached
signature.

Verifies that use the sha256sum ensure that the thing signed includes
the name of the tarball. This defends the verifier by default against
a freeze, rollback, or project substitution attack.

A verifier can use something like the following (as expressed in
bash):

      set -o pipefail
      wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc}
      gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c -

See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that
thread for discussion.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
This commit is contained in:
Daniel Kahn Gillmor 2019-03-23 13:35:43 +01:00 committed by David Bremner
parent cc8d837d5a
commit 01f9c71312
2 changed files with 2 additions and 2 deletions

View file

@ -43,7 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases
TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
SHA256_FILE=$(TAR_FILE).sha256
SHA256_FILE=$(TAR_FILE).sha256.asc
GPG_FILE=$(TAR_FILE).asc
PV_FILE=bindings/python/notmuch/version.py

View file

@ -40,7 +40,7 @@ $(TAR_FILE):
@echo "Source is ready for release in $(TAR_FILE)"
$(SHA256_FILE): $(TAR_FILE)
sha256sum $^ > $@
sha256sum $^ | gpg --clear-sign --output $@ -
$(GPG_FILE): $(TAR_FILE)
gpg --armor --detach-sign $^