Bug#871806: uscan: (dpkg, git-buildpackage) accept/mangle/store signed git tags in cases where upstream does not publish detached sigs on tarballs

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Aug 11 18:15:28 UTC 2017 

Package: devscripts
Priority: wishlist
Control: affects -1 + dpkg git-buildpackage pristine-tar
X-Debbugs-Cc: dpkg at packages.debian.org, git-buildpackage at packages.debian.org, pristine-tar at packages.debian.org

Hi devscripts, dpkg, git-buildpackage, pristine-tar folks--

It's awesome to see the progress made on tracking upstream cryptographic
signatures via uscan and dpkg in debian.  This provides a dataset for
cryptographic provenance that can be useful for auditing.

We're handling detached OpenPGP signatures for tarballs at the moment,
but not all upstreams provide this particular form of cryptographic
assurance.

Some upstreams do provide cryptographic signatures, but only in git
tags.

I'm not sure exactly how to do this, but what i'd like to see is a way
for us to record and make use of signed git tags in the same way.

I'm opening this bug report in the hopes of starting discussion about
how to best do it.

The text below assumes the following:

 * upstream maintains their sources in a git repository.

 * upstream either doesn't produce tarballs at all, or they produce
   tarballs from their git repository using something like "git
   archive".  For the sake of the argument here, let's assume that they
   don't produce tarballs at all.

 * upstream does indicate releases in the form of OpenPGP-signed git
   tags.

 * The releases offered by upstream correspond to the "upstream
   versions" that are uploaded into debian.



Here's an extremely rough and inefficient approach (which i haven't
implemented, as this is in brainstorming phase).  I've probably even got
some of the terminology wrong, or the dataflows backward:

 * we document how we generate a debian "upstream tarball" from a git
   tag.  for example, we put this in debian/upstream/vcs-gen-tarball:

    git archive --format=tar --prefix=${projname}-${version} ${tagname} | gzip -9n

 * make a shallow clone of the git archive at the tag, including the
   tag. (i've confirmed that a signed git tag in a shallow repo does
   validate correctly).

     git clone --bare --depth 1 -b ${tagname} \
            file://path/to/upstream/${projname}.git ${projname}-${version}.git


 * create an archive of the shallow clone, combined with the command to
   generate the tarball (we can call this a "gtsig")

     rm -rf ${projname}-${version}.git/hooks
     cp debian/upstream/vcs-gen-tarball ./${projname}-${version}.git
     tar cz ./${projname}-${version}.git > ./${projname}-${version}.gtsig

 * write a simple tool to verify an orig.tar.gz against a signing key
   and a gtsig, by extracting the "shallow clone" of the git repository,
   verifying git tag -v, using git-archive, and then comparing the
   results.


Some of the outstanding concerns:

 * what if there is non-DFSG-free data in the upstream git repo?  We
   want to make sure we avoid shipping it to our mirrors.  that's why i
   was leaning toward the "shallow clone", but if there are other
   techniques, i'd be curious to hear them.

 * the .gtsig will be quite large -- roughly the same size as the
   orig.tar.gz.  Is it possible to make it smaller by just storing the
   "delta" needed to recreate the shallow clone from the orig.tar.gz?
   Or is it possible (though dirty) to ship the .gtsig itself as the
   orig.tar.gz?  that smells like trouble, because you couldn't
   reconstruct the sources without having git available.

 * the .gtsig itself will show "verified" but it could contain some data
   that isn't actually covered by the tag.  Upon verification, how do we
   make sure it's clean?  (i note that OpenPGP signature files also have
   covert channels where they can carry unsigned material, so this might
   not be introducing a new bug in general).

 * is "git archive" guaranteed to produce deterministic output?

What do folks think?  I'm sure i'm not the first person to think about
this, but i don't know whether there is any existing work done on it
either.  Pointers, thoughts, discussion welcome.

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20170811/fabc2bd4/attachment.sig>

More information about the devscripts-devel mailing list