[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gcmd-usr] signature file available
From: |
Uwe Scholz |
Subject: |
Re: [gcmd-usr] signature file available |
Date: |
Fri, 20 Oct 2017 15:52:38 +0200 |
Hi Joe,
sorry for my late response, I have been absent for some time.
Am Fri, 13 Oct 2017 23:12:45 -0500 schrieb Joe:
> On 10/09/2017 12:27 AM, Uwe Scholz wrote:
> > Hi Joe,
> >
> > Thank you for your question. When I upload a new package for
> > deployment to the Gnome server, a sha256 checksum is generated.
> > This one is always stored in the download folder of
> > Gnome-Commander. See here:
> >
> > https://download.gnome.org/sources/gnome-commander/1.8/
> >
> > Best wishes
> > Uwe
>
> Thanks. No, didn't mean a checksum - though checksum is useful to
> rule out download errors, it doesn't verify that the file downloaded
> wasn't tampered with, then placed on the D/L site or a mirror site.
> You may have heard there's a lot of serious maliciousness on the web
> now days?
> If you remember, even Linux Mint's ISO files were hacked (on their
> site) & included malware. I believe also Ubuntu's site was hacked at
> one point (a while back).
>
> I meant signature files, as in *.asc files to use gpg to verify the
> "file signed with developer's signing key" (where the developer signs
> the gnome-commander-1.8.0.tar.xz), then posts the *.asc signature
> file on the site: gnome-commander-1.8.0.tar.xz.asc. You would also
> (generally) have to upload your public key to several of the well
> known public key servers, like hkp://keyserver.ubuntu.com:11371 &
> others, for users to download and use in the file verification
> process.
>
> Many developers now provide signed files & their signing key. Here
> https://ftp.mozilla.org/pub/firefox/releases/56.0/update/linux-x86_64/en-US/,
> you see the signed update files, and the *.asc signature files (of
> same name). Or here
> https://www.torproject.org/download/download-easy.html.en - under the
> D/L buttons, if you right click the (small) "sig" link & "save as",
> you'll see it's an .asc file - same name as the installer file,
> like: tor-browser-linux64-7.0.4_en-US.tar.xz.asc
Thank you for the detailed explanation of all that. Yes, I have heard
about the Equifax hack and even the company I am working with has to
adapt code or update libraries after that hack (we are also using the
Struts java framework).
Coming back to your original question. I made some research in the last
days. It turned out that the Makefile.am of the Gnome Commander
project was configured to generate a .tar.bz2 file for distribution.
This file is uploaded to the Gnome server when I provide a new version.
But several years ago the Gnome team decided to only ship .tar.xz files
from their server. That's why they internally convert the
uploaded .tar.bz2 file into a .tar.xz file.
I tried to convert the locally generated .bz2 archive into a .xz one,
but the size of my own file and the one from the Gnome server differs.
I suspect that the root cause for this is that I am using different
xz-options than they do on the Gnome server (there are different
compression levels one can use).
I did not search further but I asked on the Gnome mailing list and they
said that when I upload a .tar.xz archive right from the beginning they
would use exactly this file for distribution, without any change. Then I
will be able to sign this file also and provide a signature on the Gnome
Commander homepage.
I will do this after the next release and provide a signature.
Best wishes and thank you for asking this question!
Uwe