[Mono-list] Not able to verify integrity of download
inorton at gmail.com
Thu Mar 13 08:00:12 UTC 2014
I'd say that is a good idea. Pgp sign the sha256 hash of the release
tarball. And make that a manual process controlled by release engineers.
Perhaps also sign the sha1 state of the got repos at releases too
On 12 Mar 2014 17:25, "Matt Clay" <Matt.Clay at earthclassmail.com> wrote:
> Perhaps you could use GnuPG to sign releases like is done for the Linux
> kernel sources?
> - Matt
> -----Original Message-----
> From: mono-list-bounces at lists.ximian.com [mailto:
> mono-list-bounces at lists.ximian.com] On Behalf Of Edward Ned Harvey (mono)
> Sent: Wednesday, March 12, 2014 4:00 AM
> To: Ian Norton
> Cc: mono-list at lists.ximian.com; monolithic1
> Subject: Re: [Mono-list] Not able to verify integrity of download
> > From: Ian Norton [mailto:inorton at gmail.com]
> > Sent: Tuesday, March 11, 2014 2:29 AM
> > I think our friend is wondering if our stable archive is trusted. if
> > someone hasn't snuck in and inserted some nasty in the released tarball.
> > I for one think that xamarin really really need to sha2 and sign the
> > released stable sources!
> So - How does that work? The two things I usually see are either:
> On the website, they give you a download link for a file, and they also
> tell you the MD5 and SHA1 sums of the file...
> You download something like a .msi or .exe, and your browser does a
> security scan, and upon launch, it does another security scan, and verifies
> all the codesigning signatures...
> So my question for you guys is, what do you want to see? The way I see
> it, posting the MD5 or SHA1 on the website does not help protect you
> against malicious person hacking up the website. Because they'll just
> update the sums to match their infected tarball.
> Code signing is very nice, because the software publisher must jump
> through trusted root CA verification, proof of control of the organization,
> etc, and the publisher has a private key, so even if somebody hacks up the
> website, they still cannot fake a valid signed file. So the recipient will
> be able to detect the malicious behavior. (Invalid code signing cert, or
> not signed at all.)
> But I'm not aware of any way to do code signing on the source tarball, etc.
> Mono-list maillist - Mono-list at lists.ximian.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Mono-list