-
Improvement
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
There is no built-in functionality for verifying artifacts using GPG signatures. This could be added to funtoo-metatools.
tor tarball is GPG signed. Before Manifest is generated by the autogen this signature could be verified (also by the autogen)
- gpg commands: https://support.torproject.org/tbb/how-to-verify-signature/
- list of gpg keys per product (we want tor source tarballs): https://2019.www.torproject.org/include/keys.txt
- umbrella ticket for signing keys: https://trac.torproject.org/projects/tor/ticket/22637
- we want 6AFEE6D49E92B601 key owned by Nick Mathewson: https://gitweb.torproject.org/project/web/webwml.git/tree/include/keys.txt
Proof of concept:
wget https://dist.torproject.org/tor-0.4.2.7.tar.gz.asc wget https://dist.torproject.org/tor-0.4.2.7.tar.gz gpg --recv-key 6AFEE6D49E92B601 gpg --output ./6AFEE6D49E92B601.gpg --export 0x6AFEE6D49E92B601 gpgv --keyring ./6AFEE6D49E92B601.gpg tor-0.4.2.7.tar.gz.asc tor-0.4.2.7.tar.gz echo $?
Implementation suggestion:
- store keyring (6AFEE6D49E92B601.gpg) in files
- tarball signature as additional artifact
use gpgvuse python native implementation of gpg verification before generating Manifest- in order to parametrize generate_manifests we can create some standard file like
chck_sig.shverify_signatures.py or additional function in autogen.py - when this file/function is missing manifests will be generated in a standard way - throw error when signature is invalid