build: distribute signed sha256sums

Distribute clearsigned sha256sum file in addition to the detached signature. Verifies that use the sha256sum ensure that the thing signed includes the name of the tarball. This defends the verifier by default against a freeze, rollback, or project substitution attack. A verifier can use something like the following (as expressed in bash): set -o pipefail wget https://notmuchmail.org/releases/notmuch-$VERSION.tar.gz{,.sha256.asc} gpgv --keyring ./notmuch-signers.pgp --output - notmuch-$VERSION.tar.gz.sha256.asc | sha256sum -c - See id:87r2b8w956.fsf@fifthhorseman.net and other messages in that thread for discussion. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2024-11-22 02:48:08 +01:00 · 2019-03-23 13:35:43 +01:00 · 2019-03-23 13:35:43 +01:00 · 01f9c71312
commit 01f9c71312
parent cc8d837d5a
2 changed files with 2 additions and 2 deletions
--- a/Makefile.global
+++ b/Makefile.global
@ -43,7 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases
 TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
 ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
 DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA256_FILE=$(TAR_FILE).sha256
+SHA256_FILE=$(TAR_FILE).sha256.asc
 GPG_FILE=$(TAR_FILE).asc
 PV_FILE=bindings/python/notmuch/version.py
--- a/Makefile.local
+++ b/Makefile.local
@ -40,7 +40,7 @@ $(TAR_FILE):
 	@echo "Source is ready for release in $(TAR_FILE)"
 $(SHA256_FILE): $(TAR_FILE)
-	sha256sum $^ > $@
+	sha256sum $^ | gpg --clear-sign --output $@ -
 $(GPG_FILE): $(TAR_FILE)
 	gpg --armor --detach-sign $^