Bug#731725: uscan: Please allow to verify uncompressed tarball signature
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Dec 9 03:58:15 UTC 2013
On 12/08/2013 10:16 PM, David Prévot wrote:
> Since it is easier to find/produce collisions with compressed files,
> some projects do a checksum on the tar file and not on the compressed
> file, see:
>
> http://cryptography.hyperlink.cz/2004/otherformats.html
This note is about bad properties of compressed files in relation to the
use of known-weak cryptographic digests. The bad thing is the
known-weak cryptographic digest.
If some upstream's signatures are being made over an MD5 digest, they
need to be fixed. We should be relying on signatures made over strong
digests.
There are lots of ways to stuff unaccountable blobs into uncompressed
tarballs (up to and including inserting an archive file into an
unnoticed directory in the archive itself, or a jpeg in the docs
directory with a plausibly-sized but high-entropy chunk of exif data.
> It would be nice to allow uscan to check the uncompressed tarball
> instead of the compressed one.
yes, i agree with that.
how about adding another option to uscan: pgpsigarchivefilter, which
represents a command through which the archive will be filtered before
the signature is checked.
So, for example, something like:
opts="pgpsigarchivefilter=gzip -d,pgpsigurlmangle=s/tgz$/asc/"
then we could adjust the verification check to invoke gpg as (shell
script here, plz convert to perl for it to actually work :P):
<$tarball $filter | gpgv $sigfile -
> Bonus question: for CMocka, the directory also change (see the s/34/33/
> bellow) for each file, independently of the version:
>
> https://open.cryptomilk.org/attachments/download/33/cmocka-0.3.2.tar.asc
> https://open.cryptomilk.org/attachments/download/34/cmocka-0.3.2.tar.xz
>
> Do you have an idea of a pgpsigurlmangle rule that would allow one to
> download the accurate signature file?
ugh, no i don't. any thoughts on a better way to match? maybe a
different option that would scanning the download page for filenames
that match the version number somehow instead, and then fetch the full
thing, regardless of path?
Wish i had better ideas,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20131208/e03f9224/attachment.sig>
More information about the devscripts-devel
mailing list