Re: [portable] OpenPGP signatures on release checksums (#12)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [portable] OpenPGP signatures on release checksums (#12)

Bob Beck-2
To answer a number of questions about this all at once. No. we don't sign
releases with GnuPG or OpenPGP.

GnuPG alone is a compressed tarball of 4.2 MB of code I have occasionally
had to glance at.  I do not have enough
energy in my life to clean up two poorly written crypto code bases. The
world will be better if we only concerntrate
on one.

$ wc -l *.c
      29 crypto_api.c
     143 mod_ed25519.c
     327 mod_ge25519.c
     806 signify.c
    1305 total

Signify is 1305 *lines* of C code. and it's included in our development
platform. It is not that difficult to install, and
if you can't install it, you could always run OpenBSD in a vm to verify a
signature, it comes with openbsd.




On Mon, Jul 14, 2014 at 11:01 AM, Ralph Giles <[hidden email]>
wrote:

> Thanks for providing signed checksums of the releases on
> http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ !
>
> I respectfully suggest offering OpenPGP signatures, at least as an
> alternative, would be more portable. My systems don't have signify.
>
> —
> Reply to this email directly or view it on GitHub
> <https://github.com/libressl-portable/portable/issues/12>.
>
Reply | Threaded
Open this post in threaded view
|

Re: [portable] OpenPGP signatures on release checksums (#12)

Bob Beck-2
It's also here :)
----8<--
untrusted comment: LibreSSL Portable public key
RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe



On Mon, Jul 14, 2014 at 8:52 PM, Bob Beck <[hidden email]> wrote:

>
> Once we are back in North America where we can do it (the master signature
> box is airgapped) in case you're ultra paranoid the libressl public key
> will be signed with an OpenBSD release key, which you can buy on CD if you
> really want. and validate
> it that way.
>
> Having said that, nothing wrong with having it in github - I've just put
> it there in the top of the portable repository. It's also all over twitter
> if you're on there and like to cross check from multiple sources.
>
>
> On Mon, Jul 14, 2014 at 7:14 PM, Ralph Giles <[hidden email]>
> wrote:
>
>> Well, we need some way to pass release trust from your upstream to
>> downstream users. Are you saying you don't trust gpg's signature
>> implementation? Why is that different from auditing the GNU autotools?
>>
>>    -
>>
>>    Produce a portable version of signify for packaging on other systems.
>>    It seems like a nice tool, especially the built-in checksum support.
>>    -
>>
>>    Patch signify to produce OpenPGP signature blocks.
>>    -
>>
>>    Someone who trusts both signify and and an OpenPGP implementation
>>    re-signs the checksums.
>>
>> It would also help to mirror the releases and/or checksum files here on
>> github so people can cross-verify with however much additional value they
>> want to put in the github https cert, and push signed git tags per issue
>> #3 <https://github.com/libressl-portable/portable/issues/3>.
>>
>> —
>> Reply to this email directly or view it on GitHub
>> <https://github.com/libressl-portable/portable/issues/12#issuecomment-48979965>
>> .
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [portable] OpenPGP signatures on release checksums (#12)

Stefan Fritsch
In reply to this post by Bob Beck-2
On Monday 14 July 2014 12:45:35, Bob Beck wrote:

> $ wc -l *.c
>       29 crypto_api.c
>      143 mod_ed25519.c
>      327 mod_ge25519.c
>      806 signify.c
>     1305 total
>
> Signify is 1305 *lines* of C code. and it's included in our
> development platform. It is not that difficult to install, and
> if you can't install it, you could always run OpenBSD in a vm to
> verify a signature, it comes with openbsd.

Signify uses some openssh .c files:

$ wc -l *.c *.data
    29 crypto_api.c
   335 fe25519.c
   143 mod_ed25519.c
   327 mod_ge25519.c
   306 sc25519.c
   806 signify.c
   265 smult_curve25519_ref.c
   858 ge25519_base.data
  3069 total

And it uses quite a few openbsd specific functions which makes
compiling it on non-openbsd annoying. Because of the coupling to the
openssh source, maybe it would make sense to include it in the openssh
portable release?