Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign release tarballs directly, not their hash files #3293

Closed
thkoch2001 opened this issue Dec 28, 2019 · 2 comments
Closed

sign release tarballs directly, not their hash files #3293

thkoch2001 opened this issue Dec 28, 2019 · 2 comments

Comments

@thkoch2001
Copy link
Contributor

related issues:
#404 Add an OpenPGP signature for every tarball on nixos.org ( @domenkozar )
#17 Sign released Nix tarballs

Nix releases come with a .sha256 hash file and a .asc signature file over the hash file. This seems strange as gpg could directly make a signature over the original file. The latter is expected by Debian packaging tools. It is still possible to package nix for Debian, but verification of the upstream tarball must be done manually with the current release scheme.

Would you mind to provide a signature (.asc file) over the tarball itself instead of the hash file?

This has previously been discussed here:
https://lists.debian.org/debian-devel/2019/12/msg00081.html
@zimbatm
Copy link
Member

zimbatm commented Dec 28, 2019

It seems to work as expected for me:

$ curl -o nix.tar.xz https://nixos.org/releases/nix/nix-2.3.1/nix-2.3.1.tar.xz
$ curl -o nix.tar.xz.asc https://nixos.org/releases/nix/nix-2.3.1/nix-2.3.1.tar.xz.asc
$ gpg2 --verify ./nix.tar.xz.asc 
gpg: assuming signed data in './nix.tar.xz'
gpg: Signature made Thu 10 Oct 2019 04:06:58 PM CEST
gpg:                using RSA key B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg: Good signature from "Eelco Dolstra <[email protected]>" [unknown]
gpg:                 aka "Eelco Dolstra <[email protected]>" [unknown]
gpg:                 aka "Eelco Dolstra <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B541 D553 0127 0E0B CF15  CA5D 8170 B472 6D71 98DE

@edolstra
Copy link
Member

Indeed, the signature is over the tarball, not the hash. You can see the signature generation here:

nix/maintainers/upload-release.pl

Lines 60 to 81 in b0cadf5

my $dstFile = "$releaseDir/" . $dstName;
if (! -e $dstFile) {
print STDERR "downloading $srcFile to $dstFile...\n";
system("NIX_REMOTE=https://cache.nixos.org/ nix cat-store '$srcFile' > '$dstFile.tmp'") == 0
or die "unable to fetch $srcFile\n";
rename("$dstFile.tmp", $dstFile) or die;
}
my $sha256_expected = $buildInfo->{buildproducts}->{$productNr}->{sha256hash} or die;
my $sha256_actual = `nix hash-file --base16 --type sha256 '$dstFile'`;
chomp $sha256_actual;
if ($sha256_expected ne $sha256_actual) {
print STDERR "file $dstFile is corrupt, got $sha256_actual, expected $sha256_expected\n";
exit 1;
}
write_file("$dstFile.sha256", $sha256_expected);
if (! -e "$dstFile.asc") {
system("gpg2 --detach-sign --armor $dstFile") == 0 or die "unable to sign $dstFile\n";
}

You can ignore the .sha256 file, it's not needed for verifying the GPG signature.

@zimbatm zimbatm closed this as completed Dec 30, 2019
@KaiHicks KaiHicks mentioned this issue Nov 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zimbatm @thkoch2001 @edolstra