Re: [portable] OpenPGP signatures on release checksums (#12)
To answer a number of questions about this all at once. No. we don't sign
releases with GnuPG or OpenPGP.
GnuPG alone is a compressed tarball of 4.2 MB of code I have occasionally
had to glance at. I do not have enough
energy in my life to clean up two poorly written crypto code bases. The
world will be better if we only concerntrate
Signify is 1305 *lines* of C code. and it's included in our development
platform. It is not that difficult to install, and
if you can't install it, you could always run OpenBSD in a vm to verify a
signature, it comes with openbsd.
> Once we are back in North America where we can do it (the master signature
> box is airgapped) in case you're ultra paranoid the libressl public key
> will be signed with an OpenBSD release key, which you can buy on CD if you
> really want. and validate
> it that way.
> Having said that, nothing wrong with having it in github - I've just put
> it there in the top of the portable repository. It's also all over twitter
> if you're on there and like to cross check from multiple sources.
> On Mon, Jul 14, 2014 at 7:14 PM, Ralph Giles <[hidden email]>
>> Well, we need some way to pass release trust from your upstream to
>> downstream users. Are you saying you don't trust gpg's signature
>> implementation? Why is that different from auditing the GNU autotools?
>> Produce a portable version of signify for packaging on other systems.
>> It seems like a nice tool, especially the built-in checksum support.
>> Patch signify to produce OpenPGP signature blocks.
>> Someone who trusts both signify and and an OpenPGP implementation
>> re-signs the checksums.
>> It would also help to mirror the releases and/or checksum files here on
>> github so people can cross-verify with however much additional value they
>> want to put in the github https cert, and push signed git tags per issue
>> #3 <https://github.com/libressl-portable/portable/issues/3>.
>> Reply to this email directly or view it on GitHub
> $ wc -l *.c
> 29 crypto_api.c
> 143 mod_ed25519.c
> 327 mod_ge25519.c
> 806 signify.c
> 1305 total
> Signify is 1305 *lines* of C code. and it's included in our
> development platform. It is not that difficult to install, and
> if you can't install it, you could always run OpenBSD in a vm to
> verify a signature, it comes with openbsd.
And it uses quite a few openbsd specific functions which makes
compiling it on non-openbsd annoying. Because of the coupling to the
openssh source, maybe it would make sense to include it in the openssh