Re: [portable] OpenPGP signatures on release checksums (#12)
On Monday 14 July 2014 12:45:35, Bob Beck wrote: $ wc -l *.c 29 crypto_api.c 143 mod_ed25519.c 327 mod_ge25519.c 806 signify.c 1305 total Signify is 1305 *lines* of C code. and it's included in our development platform. It is not that difficult to install, and if you can't install it, you could always run OpenBSD in a vm to verify a signature, it comes with openbsd. Signify uses some openssh .c files: $ wc -l *.c *.data 29 crypto_api.c 335 fe25519.c 143 mod_ed25519.c 327 mod_ge25519.c 306 sc25519.c 806 signify.c 265 smult_curve25519_ref.c 858 ge25519_base.data 3069 total And it uses quite a few openbsd specific functions which makes compiling it on non-openbsd annoying. Because of the coupling to the openssh source, maybe it would make sense to include it in the openssh portable release?
Re: [portable] OpenPGP signatures on release checksums (#12)
To answer a number of questions about this all at once. No. we don't sign releases with GnuPG or OpenPGP. GnuPG alone is a compressed tarball of 4.2 MB of code I have occasionally had to glance at. I do not have enough energy in my life to clean up two poorly written crypto code bases. The world will be better if we only concerntrate on one. $ wc -l *.c 29 crypto_api.c 143 mod_ed25519.c 327 mod_ge25519.c 806 signify.c 1305 total Signify is 1305 *lines* of C code. and it's included in our development platform. It is not that difficult to install, and if you can't install it, you could always run OpenBSD in a vm to verify a signature, it comes with openbsd. On Mon, Jul 14, 2014 at 11:01 AM, Ralph Giles notificati...@github.com wrote: Thanks for providing signed checksums of the releases on http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ ! I respectfully suggest offering OpenPGP signatures, at least as an alternative, would be more portable. My systems don't have signify. — Reply to this email directly or view it on GitHub https://github.com/libressl-portable/portable/issues/12.
Re: [portable] OpenPGP signatures on release checksums (#12)
It's also here :) 8-- untrusted comment: LibreSSL Portable public key RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe On Mon, Jul 14, 2014 at 8:52 PM, Bob Beck b...@obtuse.com wrote: Once we are back in North America where we can do it (the master signature box is airgapped) in case you're ultra paranoid the libressl public key will be signed with an OpenBSD release key, which you can buy on CD if you really want. and validate it that way. Having said that, nothing wrong with having it in github - I've just put it there in the top of the portable repository. It's also all over twitter if you're on there and like to cross check from multiple sources. On Mon, Jul 14, 2014 at 7:14 PM, Ralph Giles notificati...@github.com wrote: Well, we need some way to pass release trust from your upstream to downstream users. Are you saying you don't trust gpg's signature implementation? Why is that different from auditing the GNU autotools? - Produce a portable version of signify for packaging on other systems. It seems like a nice tool, especially the built-in checksum support. - Patch signify to produce OpenPGP signature blocks. - Someone who trusts both signify and and an OpenPGP implementation re-signs the checksums. It would also help to mirror the releases and/or checksum files here on github so people can cross-verify with however much additional value they want to put in the github https cert, and push signed git tags per issue #3 https://github.com/libressl-portable/portable/issues/3. — Reply to this email directly or view it on GitHub https://github.com/libressl-portable/portable/issues/12#issuecomment-48979965 .