[cairo-bugs] [Bug 99248] New: Misuse of PGP signatures

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Jan 2 13:48:05 UTC 2017


            Bug ID: 99248
           Summary: Misuse of PGP signatures
           Product: cairo
           Version: unspecified
          Hardware: All
               URL: https://www.cairographics.org/releases/
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: chris at chris-wilson.co.uk
          Reporter: felix.von.s at posteo.de
        QA Contact: cairo-bugs at cairographics.org

There are a few issues with the .asc files available in

The smaller issue is that they are full signed files, not detached signatures
(as is the usual practice). This may sometimes create problems: for example,
makepkg from Arch treats all files with .asc and .sig extensions as detached
signatures and verifies them automatically. Extracting full signed files is not
supported; thus, makepkg can't make use of these files.

The bigger issue is that the signatures they contain are of the SHA-1 sums of
packages, not of the packages themselves. SHA-1 is not considered a strong hash
function nowadays; moreover, a PGP signature is already basically an encrypted
hash, so this practice creates an unnecessary layer of indirection and weakens
security guarantees of PGP signing.

In future releases, please create detached signatures of the packages
themselves. I figure you'd also want the current latest release to be signed in
this way.

You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20170102/0a32b2e7/attachment.html>

More information about the cairo-bugs mailing list