<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Misuse of PGP signatures"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=99248">99248</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Misuse of PGP signatures
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>URL</th>
          <td>https://www.cairographics.org/releases/
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>felix.von.s@posteo.de
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>There are a few issues with the .asc files available in
<<a href="https://www.cairographics.org/releases/">https://www.cairographics.org/releases/</a>>.

The smaller issue is that they are full signed files, not detached signatures
(as is the usual practice). This may sometimes create problems: for example,
makepkg from Arch treats all files with .asc and .sig extensions as detached
signatures and verifies them automatically. Extracting full signed files is not
supported; thus, makepkg can't make use of these files.

The bigger issue is that the signatures they contain are of the SHA-1 sums of
packages, not of the packages themselves. SHA-1 is not considered a strong hash
function nowadays; moreover, a PGP signature is already basically an encrypted
hash, so this practice creates an unnecessary layer of indirection and weakens
security guarantees of PGP signing.

In future releases, please create detached signatures of the packages
themselves. I figure you'd also want the current latest release to be signed in
this way.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>