Comments (8)
To answer a number of questions about this all at once. No. we don't sign
releases with GnuPG or OpenPGP.
GnuPG alone is a compressed tarball of 4.2 MB of code I have occasionally
had to glance at. I do not have enough
energy in my life to clean up two poorly written crypto code bases. The
world will be better if we only concerntrate
on one.
$ wc -l *.c
29 crypto_api.c
143 mod_ed25519.c
327 mod_ge25519.c
806 signify.c
1305 total
Signify is 1305 lines of C code. and it's included in our development
platform. It is not that difficult to install, and
if you can't install it, you could always run OpenBSD in a vm to verify a
signature, it comes with openbsd.
On Mon, Jul 14, 2014 at 11:01 AM, Ralph Giles [email protected]
wrote:
Thanks for providing signed checksums of the releases on
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ !I respectfully suggest offering OpenPGP signatures, at least as an
alternative, would be more portable. My systems don't have signify.—
Reply to this email directly or view it on GitHub
#12.
from portable.
In case you happen to be on OS X, check out https://github.com/jpouellet/signify-osx. It's not official by any means, but the delta to upstream is small enough that it should be easy to audit yourself if you wish.
from portable.
Well, we need some way to pass release trust from your upstream to downstream users. Are you saying you don't trust gpg's signature implementation? Why is that different from auditing the GNU autotools?
- Produce a portable version of
signify
for packaging on other systems. It seems like a nice tool, especially the built-in checksum support. - Patch
signify
to produce OpenPGP signature blocks. - Someone who trusts both signify and and an OpenPGP implementation re-signs the checksums.
It would also help to mirror the releases and/or checksum files here on github so people can cross-verify with however much additional value they want to put in the github https cert, and push signed git tags per issue #3.
from portable.
Once we are back in North America where we can do it (the master signature
box is airgapped) in case you're ultra paranoid the libressl public key
will be signed with an OpenBSD release key, which you can buy on CD if you
really want. and validate
it that way.
Having said that, nothing wrong with having it in github - I've just put it
there in the top of the portable repository. It's also all over twitter if
you're on there and like to cross check from multiple sources.
On Mon, Jul 14, 2014 at 7:14 PM, Ralph Giles [email protected]
wrote:
Well, we need some way to pass release trust from your upstream to
downstream users. Are you saying you don't trust gpg's signature
implementation? Why is that different from auditing the GNU autotools?
Produce a portable version of signify for packaging on other systems.
It seems like a nice tool, especially the built-in checksum support.Patch signify to produce OpenPGP signature blocks.
Someone who trusts both signify and and an OpenPGP implementation
re-signs the checksums.It would also help to mirror the releases and/or checksum files here on
github so people can cross-verify with however much additional value they
want to put in the github https cert, and push signed git tags per issue
#3 #3.—
Reply to this email directly or view it on GitHub
#12 (comment)
.
from portable.
It's also here :)
----8<--
untrusted comment: LibreSSL Portable public key
RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe
On Mon, Jul 14, 2014 at 8:52 PM, Bob Beck [email protected] wrote:
Once we are back in North America where we can do it (the master signature
box is airgapped) in case you're ultra paranoid the libressl public key
will be signed with an OpenBSD release key, which you can buy on CD if you
really want. and validate
it that way.Having said that, nothing wrong with having it in github - I've just put
it there in the top of the portable repository. It's also all over twitter
if you're on there and like to cross check from multiple sources.On Mon, Jul 14, 2014 at 7:14 PM, Ralph Giles [email protected]
wrote:Well, we need some way to pass release trust from your upstream to
downstream users. Are you saying you don't trust gpg's signature
implementation? Why is that different from auditing the GNU autotools?
Produce a portable version of signify for packaging on other systems.
It seems like a nice tool, especially the built-in checksum support.Patch signify to produce OpenPGP signature blocks.
Someone who trusts both signify and and an OpenPGP implementation
re-signs the checksums.It would also help to mirror the releases and/or checksum files here on
github so people can cross-verify with however much additional value they
want to put in the github https cert, and push signed git tags per issue
#3 #3.—
Reply to this email directly or view it on GitHub
#12 (comment)
.
from portable.
Patch signify to produce OpenPGP signature blocks.
It'd take more than that, and the cost outweighs the benefit.
So instead, here's what I have for the signify keys, signed by my pgp key (685B922D
). I'm reasonably well connected to the web of trust, and I've verified openbsd-55-base.pub against my CD as well as in person with multiple openbsd devs at BSDCan 2014.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
untrusted comment: LibreSSL Portable public key
RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe
untrusted comment: openbsd 5.5 base public key
RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h
untrusted comment: openbsd 5.5 firmware public key
RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO
untrusted comment: openbsd 5.5 packages public key
RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5
untrusted comment: openbsd 5.6 base public key
RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV
untrusted comment: openbsd 5.6 firmware public key
RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw
untrusted comment: openbsd 5.6 packages public key
RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJTxJ5CAAoJEPjsi1Ulx5x/upUP+gNeh3KlEBnyqJkWuVOe0K2Q
Y37FNdd1b8yknKocVaA0C6kmr05yz1A5clRQtFLCIgripmpscBzd+BbW9AlitbbJ
zatsDsduqn44aikWVPuGHZ4vnxbaWdpnzObZo96pF1OrupOS2/mLZ1pQVDzkh+RH
GC9wAieu3Z/LsYbuMfviDdstOOscKSqJZ/hgeiZF2ppAHwnhUwTvrWkHqzoBBGIn
6IEJe6INUt8powb73v2OH/A3+nYc4LIFAWIafQonlEG+vWxPQirioGaN53OSCWvQ
gZFXzXhBxDLMOR/V7SIJv8imGb3LFmoryRaHGv1FuXX/cLQfXfYxmwLTOMtL9dmC
gtpgx4mJk8h3jKiGrXgrTUecpAMpR/lDBkXqLNohgGpkMUVoNSB5Dw5LcgoX6n33
agkeypy0/PMZrRjsNbgvKoAb7fRfG6xIKkw8iQLY4Mf6Ek6xr+7A02wOsmfHHrCH
U9p0z+8PNLsRZtki9ThDjugwa8JdLm2SJoBehdnLKuHcOUdCeRWYNSgfLdRbMXH/
aa+Z6LFTsPx0y6UWpGJg3F51DnoHAZOPrHuaAzNJ2J5QOqSh476tYht3q2zDUmsi
/ZJaqFlbLV4f1iOIFkeWhpbUZDdoYMpT2mluFtNn95FBZ13OjpwFvgMRW8IZR+1l
Dy3clLtg8e56wnicX8ji
=ruMH
-----END PGP SIGNATURE-----
Now... how do you know I'm not $evil_person out to get you? You don't. Too bad.
from portable.
Thanks, all this helps.
from portable.
Hi.
Those wishing to verify LibreSSL tarballs can use my portable version of OpenBSD's signify (project I began back in May [1]). It is quite self-contained and doesn't depend on things like libbsd for BSDisms or OpenSSL/LibreSSL for prng seed material. So, I anticipate it should build on many POSIXy systems (tested on Linux and Windows/Cygwin).
The latest version was sync'd on 20140902 and includes signify.c rev1.91 and updated support code including tweaks that hopefully make explicit_bzero more resistant to overzealous compilers:
My example-driven HOWTO should be enough to get one started.
--mancha
PS A few LibreSSL versions ago, verification worked flawlessly. However, the latest SHA256 digest lists contain full paths (e.g. /home/sign/libressl-2.0.2.tar.gz) which interfere with verification. Mistake?
[1] http://www.linuxquestions.org/questions/slackware-14/openbsd%27s-new-john-hancock-4175504101/
from portable.
Related Issues (20)
- libressl 3.8.3 build fail with error: invalid instruction mnemonic 'endbr64' HOT 3
- LibreSSL 3.8.3 fails to build with `syntax error: _CET_ENDBR` (Windows, MSVC, x64) HOT 7
- Windows MinGW build failing with Bad file number HOT 8
- libressl-3.9.0: build fails for ios HOT 13
- Building on MINGW64_NT-10.0-19045 fails with "../../libtool: line 1900: /mingw64/bin/gcc: Argument list too long" in libressl/apps/ocspcheck HOT 1
- Build fail : missing RC4 git HEAD HOT 2
- SIGSEGV in `bn_bitsize` triggerable via remote (s_client) HOT 1
- Use of SHA ISA Extensions
- CI on Solaris started failing whirlpool_test HOT 3
- Expected steps for Visual Studio native build on x64 Windows 10 HOT 4
- BN_mod_exp_mont_word() is not a public symbol HOT 3
- Why was X509V3_EXT_cleanup() removed? HOT 4
- Crosscompile linux to windows: linking fails, undefined reference SSL_library_init 3.9.2 HOT 4
- Unsupported platforms should fail earlier in the configuration process HOT 4
- Unexpected "unknown pkey type" errors during TLSv1.3 handshakes on server with multiple certificates HOT 1
- SSL_get_certificate() returns wrong certificate HOT 6
- `compat/stdint.h` missing from source tarball HOT 7
- ssl_tlsext.c:1608:30: warning: 'client_preferred_group' may be used uninitialized in this function HOT 5
- Is LibreSSL affected by the OpenSSH regreSSHion vulnerability (CVE-2024-6387)? HOT 3
- posix_win.c: is_socket(int fd) fails at any socket whose value also exists as a file descriptor
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from portable.