[cairo-bugs] [Bug 99248] New: Misuse of PGP signatures
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Jan 2 13:48:05 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=99248
Bug ID: 99248
Summary: Misuse of PGP signatures
Product: cairo
Version: unspecified
Hardware: All
URL: https://www.cairographics.org/releases/
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: general
Assignee: chris at chris-wilson.co.uk
Reporter: felix.von.s at posteo.de
QA Contact: cairo-bugs at cairographics.org
There are a few issues with the .asc files available in
<https://www.cairographics.org/releases/>.
The smaller issue is that they are full signed files, not detached signatures
(as is the usual practice). This may sometimes create problems: for example,
makepkg from Arch treats all files with .asc and .sig extensions as detached
signatures and verifies them automatically. Extracting full signed files is not
supported; thus, makepkg can't make use of these files.
The bigger issue is that the signatures they contain are of the SHA-1 sums of
packages, not of the packages themselves. SHA-1 is not considered a strong hash
function nowadays; moreover, a PGP signature is already basically an encrypted
hash, so this practice creates an unnecessary layer of indirection and weakens
security guarantees of PGP signing.
In future releases, please create detached signatures of the packages
themselves. I figure you'd also want the current latest release to be signed in
this way.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20170102/0a32b2e7/attachment.html>
More information about the cairo-bugs
mailing list