[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: gpg signatures for release tarballs?
- From: "Anonymous" <hyperowl@...>
- Date: Sat, 29 Jan 2022 04:05:57 -0000
If I get the key from the site, the window of vulnerability is small: I
only need to get it once.
For any new key there will (hopefully) be an announcement, signed with the
old key, containing the new key's fingerprint.
Also, I can get a key from a keyserver or any other place. It's not about
the key, it's about its fingerprint
which you can publish in multiple places: on the site, on social media,
mention it in a conference talk, etc.
On Sat, January 29, 2022 02:53, Joseph C. Sible wrote:
> How would you know what the public key is? If you were to get it from
> the website, then isn't trusting that equivalent to trusting the checksums?
>
>
> One thing I do think would be a good idea, though, is to publish a
> non-broken hash (e.g., sha256) instead of just md5 and sha1, both of which
> are broken.
>
> Joseph C. Sible
>
>
>
> On Fri, Jan 28, 2022 at 9:34 PM Anonymous <hyperowl@danwin1210.de> wrote:
>
>>
>> You only publish release checksums. The resulting scheme is weak: I
>> need to trust HTTPS which is security theatre given how vulnerable CAs
>> are. Please consider publishing cryptographic signatures of some kind
>> (gpg/signify/whetever).