Universal signing of source code and source packages

Posted Sep 15, 2008 12:06 UTC (Mon) by epa (subscriber, #39769)
Parent article: Adding a signing key to RPM

How long will it be until it becomes de rigeur to check signatures on all source code before building it? It's still very common to download a tarball with no signature and blithely type 'make'. But with version control systems such as git and hg that compute a secure hash of all content, you won't be downloading foo-1.5.2.tar.gz but instead revision 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03.

Even when linking to a source tarball you can use the convention of putting a checksum in the #thingy part of the URI, as foo-1.5.2.tar.gz#sha256=71573b922a87abc3fd1a957f2cfa09d9e16998567dd878a85e12166112751806. It would be a good idea for all user-agents like Firefox and wget to check this, and have an option to add the #sha256= gunk to the URI automatically when you copy and paste it.

A collaborative checksum system, where 'make' automatically uploads checksums to a central server saying 'I built source with checksum abc into an object file with checksum xyz' might also catch potential trojaning, or at least spot build errors. (If the source package is designed for Fooboo Linux 5.5, then building it on that system should generate an exact binary package, and it would be interesting to see in what cases it does not.)

Universal signing of source code and source packages

Posted Sep 15, 2008 12:33 UTC (Mon) by AndyBurns (guest, #27521) [Link] (1 responses)

I doubt building the same package, on the same machine twice would generate the exact same binary (timestamps would be included from __TIME__ macros) let alone building by different compilers/linkers, with different libraries installed.

Universal signing of source code and source packages

Posted Sep 15, 2008 16:55 UTC (Mon) by jreiser (subscriber, #11027) [Link]

building the same package ... different compilers/linkers ... libraries In the late 1980's Apollo Computer had DSEE (Domain Software Engineering Environment) which tracked not only source code but also tools and build scripts. DSEE did guarantee bit-identical outputs because it tracked and could re-generate everything that affected a build. An executable file had exactly one timestamp, in a designated field of the header. (There was no __TIME__.)

Universal signing of source code and source packages

Posted Sep 15, 2008 21:40 UTC (Mon) by Nelson (subscriber, #21712) [Link]

Probably once people stop responding to spam, start encrypting email, stop falling for phishing scams, etc..

Truth be told, I check all the signatures can, maybe 20% of the time, it's a hassle to even find a public key. Then once you get a couple thousand keys in to GPG, it starts to slow down a bit on some operations. If you have it programmed to try an automatically fetch keys from a key server sometimes it just hangs out and chills for a while as it tries to rectify things as it pulls a new key in.

This seems like an ideal problem for google or someone to contribute to the solution of. It'd be nice to associate a PGP/GPG key with an openid and it'd be nice of gmail could maybe somehow indicate to other gmail users that we'd like encrypted mail if possible. Someone big needs to step in and give this kind of technology kind of the push it needs.