Bug 99248

Summary: Misuse of PGP signatures
Product: cairo Reporter: felix <felix.von.s>
Component: generalAssignee: Chris Wilson <chris>
Status: RESOLVED MOVED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: All   
URL: https://www.cairographics.org/releases/
Whiteboard:
i915 platform: i915 features:

Description felix 2017-01-02 13:48:05 UTC 
There are a few issues with the .asc files available in <https://www.cairographics.org/releases/>.

The smaller issue is that they are full signed files, not detached signatures (as is the usual practice). This may sometimes create problems: for example, makepkg from Arch treats all files with .asc and .sig extensions as detached signatures and verifies them automatically. Extracting full signed files is not supported; thus, makepkg can't make use of these files.

The bigger issue is that the signatures they contain are of the SHA-1 sums of packages, not of the packages themselves. SHA-1 is not considered a strong hash function nowadays; moreover, a PGP signature is already basically an encrypted hash, so this practice creates an unnecessary layer of indirection and weakens security guarantees of PGP signing.

In future releases, please create detached signatures of the packages themselves. I figure you'd also want the current latest release to be signed in this way.
Comment 1 GitLab Migration User 2018-08-25 13:53:08 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/247.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.