On 6/24/24 23:31, Aigars Mahinovs wrote:
There is no cryptographic relationship between the signed source *package* and the actual source. That *is* the problem. Inspecting one thing and then signing something else is the problem.
I'm sorry, but I cannot make a reasonable sense of the above, even if you're repeating it over, and over and over...
Of course what I expect in a source package is ... my source code! In so many ways, I'm checking what I upload. For example, by using and testing what I uploaded. Right, I haven't checked all files checksums one by one. Never the less, I am currently confident that what I uploaded is what I expected. That doesn't change much with the workflow you're proposing, I'd still check that things are working as expected.
But to the contrary of what you're saying, that *is not* the problem. The problem is that you're proposing to sign something, and upload something else, signed by 3rd party CI that you're willing us to blindly trust. This makes no sense. We want your stamp of approval on the thing you're actually uploading, not something else. You may as well make a signed request to a REST API, it wouldn't be very different from signing a tag in a random Git repository.
Cheers, Thomas Goirand (zigo)
