Can't verify tarball

[bhepple]

Hi Jeremy,

Your friendly local Fedora packager here.

I'm having problems with verifying the 1.3.0 tarball:

$ gpg2 --keyring=$PWD/6A6B35DBE9442683.gpg --verify swappy-1.3.0.tar.gz.sig swappy-1.3.0.tar.gz
gpg: Signature made Thu 18 Feb 2021 11:57:39 AEST
gpg: using RSA key F44D05A50F6C9EB5C81BCF966A6B35DBE9442683
gpg: BAD signature from "Jeremy Attali [email protected]" [unknown]

I notice that the 1.3.0 release does not have a 'Verified' button next to it (1.2.0 does have that button and it points to public key 6A6B35DBE9442683

Am I using the right public key?

Thanks

[jtheoof]

Hi Bob,

It's weird,

This is what I get when I verify myself. Maybe I messed up somewhere. I'll double check.

~/dev/jtheoof/swappy/release master
❯ gpg2 --verify swappy-1.3.0.tar.gz.sig swappy-1.3.0.tar.gz
gpg: Signature made Wed 17 Feb 2021 08:57:39 PM EST
gpg:                using RSA key F44D05A50F6C9EB5C81BCF966A6B35DBE9442683
gpg: Good signature from "Jeremy Attali <[email protected]>" [ultimate]

~/dev/jtheoof/swappy/release master
❯ gpg2 --verify swappy-1.3.0.zip.sig swappy-1.3.0.zip
gpg: Signature made Wed 17 Feb 2021 08:57:39 PM EST
gpg:                using RSA key F44D05A50F6C9EB5C81BCF966A6B35DBE9442683
gpg: Good signature from "Jeremy Attali <[email protected]>" [ultimate]

[jtheoof]

@bhepple I've released a new version 1.3.1 with a release commit properly signed. Apologies for my mess. Should work for you know. Can you close this issue if that's the case?

[maximbaz]

I have just downloaded the two files from Github release and I still see this issue 😞

$ gpg --verify swappy-1.3.1.tar.gz.sig swappy-1.3.1.tar.gz
gpg: Signature made 2021-02-20T18:58:23 CET
gpg:                using RSA key F44D05A50F6C9EB5C81BCF966A6B35DBE9442683
gpg: BAD signature from "Jeremy Attali <[email protected]>" [unknown]

[jtheoof]

🤔 Very odd, I'll do more digging.

[maximbaz]

For your information, you don't have to actually download tarballs from Github in your script, git is able to make reproducible archives out of tags:

$ cd swappy
$ git archive -o "swappy-1.3.1.tar.gz" --format tar.gz --prefix "swappy-1.3.1/" "v1.3.1"

$ sha256sum swappy-1.3.1.tar.gz ~/Downloads/swappy-1.3.1.tar.gz
215c48b77eebfc2a4de41ce1a4058b5da1bace8455baba743b9142bb0e96afb1  swappy-1.3.1.tar.gz
215c48b77eebfc2a4de41ce1a4058b5da1bace8455baba743b9142bb0e96afb1  /home/maximbaz/Downloads/swappy-1.3.1.tar.gz

So in your script you can simply generate the archive using the command above and sign it.

[jtheoof]

@maximbaz would you know the equivalent for the zip archive by any chance?

> git archive -o "$release_folder/$app_name-$version.zip" --format zip --prefix "$app_name-$version/" "v$version"
> sha256sum swappy-1.3.1.zip ~/Downloads/swappy-1.3.1.zip
792ab9b3ee8d0e04369d502a090bd6d6534d9456ae223ce9d264c3f834375251  swappy-1.3.1.zip
ae2442f9ecc71e31212f784ee2df0ee40eeecc0d74c8f64213950737d04ebc4b  /home/jattali/Downloads/swappy-1.3.1.zip

Both files differ even though content looks OK.

I'm going to add a check in my release script so that this mess doesn't happen again but I'd like to support both zip and tar.gz if possible.

[jtheoof]

@maximbaz @bhepple I figured what was wrong and update my release script. Now I properly verify the remote (Github) content against my local version (thanks to @maximbaz help).

I've dropped support for the zip file signature, there is a slight difference in the compression bits between my local command and the remote version. Hopefully only the tar.gz is used.

I've resubmitted the signature for both 1.3.0 and 1.3.1. Your --verify check should now pass.

Let me know if you still have issue.

[bhepple]

Yep - looks a lot better now, thanks. Only thing is it's a bit leery about your public key. Is it registered anywhere under your email/id?

$ gpg2 --keyring=$PWD/6A6B35DBE9442683.gpg --verify swappy-1.3.1.tar.gz.sig swappy-1.3.1.tar.gz gpg: Signature made Sun 21 Feb 2021 07:08:54 AEST
gpg:                using RSA key F44D05A50F6C9EB5C81BCF966A6B35DBE9442683
gpg: Good signature from "Jeremy Attali <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F44D 05A5 0F6C 9EB5 C81B  CF96 6A6B 35DB E944 2683

[jtheoof]

My knowledge of gpg key registration is pretty limited. What do I need to do to validate my key under the email address provided?

[bhepple]

Ah! There's the rub. It passeth also my understanding.

[maximbaz]

I confirm the fix as well, thanks @jtheoof!

Regarding the zip, you can use the same git archive command, the problem is that contrary to tar.gz, zip is not reproducible. You can hunt down and fix differences by hand, for example I found somewhere that as of today the difference is in timezone of where the command is executed, so you can reproduce what github is doing like this - but there is no promise that this will not break, as this format is inherently not reproducible right now:

$ TZ=America/Los_Angeles git archive -o "swappy-1.3.1.zip" --format zip --prefix "swappy-1.3.1/" "v1.3.1"

$ sha256sum swappy-1.3.1.zip ~/Downloads/swappy-1.3.1.zip
ae2442f9ecc71e31212f784ee2df0ee40eeecc0d74c8f64213950737d04ebc4b  swappy-1.3.1.zip
ae2442f9ecc71e31212f784ee2df0ee40eeecc0d74c8f64213950737d04ebc4b  /home/maximbaz/Downloads/swappy-1.3.1.zip

I wouldn't do this to be honest, just keep .tar.gz 🙂

Regarding the key, you don't need to validate it against your email, but it would be nice if you could simply put in README something like:

Release tarballs are signed with this PGP key: F44D05A50F6C9EB5C81BCF966A6B35DBE9442683

This will be more than enough for packagers and for people familiar with the concept.

Alternatively if you want to provide some more context for users, here's how I documented this in one of my projects: https://github.com/browserpass/browserpass-native/#install-manually

[jtheoof]

Thanks @maximbaz I'll update the README with your recommendation.