On Tue, Jan 07, 2025 at 05:01:42PM +0100, Simon Josefsson wrote:
Rasmus Dahlberg rgdd@glasklarteknik.se writes:
I think a three character extension would be nice. I'm currently considering doing some software release announcements with sigsum proofs for the artifacts, and the verification instructions and filename extension/convention are the primary unclear parts now.
Nice -- what's you're timeline to not be blocked?
What would you recommend to write in a release announcement when including Sigsum proofs for release artifacts?
Below is a template announcement for some imaginary software, where I added text about Sigsum. I appreciate everyone's word smithing of the Sigsum-related content. Bonus points if you manage to shorten the text rather than adding text.
These aren't the most user friendly instructions that I've encountered, so please separately consider what you can do to improve tooling to allow more user friendly commands to verify a proof.
What you have in the current template looks as good as it gets right now! What we discussed so far with Filippo to shrink it:
**Named trust policies.** So that you would only have to say here are my Sigsum key(s) and they should be used with "Debian's trust policy", "the builtin default policy", etc. A key-line might look like this:
sigsum_policy="builtin" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1WpnEswJLPzvXJDiswowy48U+G+G1kmgwUE2eaRHZG
With the idea that it should be possible to specify either the default, or to override it by, e.g., using the policy an apt-package installed.
Or maybe saying nothing implies builtin, and there is a way to override it with the sigsum_policy option as shown above. This is all work in progress ideas that we have yet to hash out (but you might get the idea), so if you have any feedback or related ideas to explore shoot!
But basically, I'd like to not force the very long trust policy blurbs in everyones READMEs. And to have named trust policies to pick from.
**Better primer page for users.** So, basically something similar to www.so/getting-started; but targeted solely for users that want to use sigsum-verify rather than getting a full demo of the entire system.
We probably also want a primer page that can be linked for the type of verification Sigsum facilitates from a 3rd-party perspective; and we should probably have a separate page dedicated for release-signing. If we had that, you could probably get away with one sentence + link.
(I posted some more in-line comments further down in the template.)
Btw, I plan to use my OpenPGP authentication key (i.e., not the signature key) from my Gnuk hardware dongle, exported via GnuPG's SSH agent, for use by sigsum-submit --signing-key to create *.proof. Does anyone see a problem with this? I don't know how to make my OpenPGP signature key from the Gnuk available via the SSH agent easily, has anyone done that? I haven't thought through the flow here. The threat I'm worried about is if some remote SSH server abuse my setup to make me sign some blob that may later be submitted to the Sigsum transparency log as a release signature? Is there sufficient domain context separation happening here? It doesn't feel intuitively safe.
/Simon
... Here is the GNU inetutils home page: https://gnu.org/s/inetutils/
Here are the compressed sources: https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.gz (2.9MB) https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.xz (1.7MB)
Here are the GPG detached signatures: https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.gz.sig https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.xz.sig
Here is minimal source-only "git archive" sources: https://ftpmirror.gnu.org/inetutils/inetutils-v2.6-src.tar.gz (820kB)
Here are Sigsum Proofs: https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.gz.proof https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.xz.proof https://ftpmirror.gnu.org/inetutils/inetutils-v2.6-src.tar.gz.proof
Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html
Here are the SHA1 and SHA256 checksums:
ced45165aeda8a9584d291b81225d86be82e1a90 inetutils-2.6.tar.gz gra2UqTds+E0rwII1iW38faAJn3igu5Wau60BvaI+HI= inetutils-2.6.tar.gz a6576bacd408adf93017f44d35608f05c893c5d5 inetutils-2.6.tar.xz YuriPIWQhNnJci9Nu+NnddrLnPDbwVXaQ3AEnkl2OCM= inetutils-2.6.tar.xz
Verify the base64 SHA256 checksum with cksum -a sha256 --check from coreutils-9.2 or OpenBSD's cksum since 2007.
Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this:
gpg --verify inetutils-2.6.tar.gz.sig
The signature should match the fingerprint of the following key:
pub ed25519 2019-03-20 [SC] B1D2 BD13 75BE CB78 4CF4 F8C4 D73C F638 C53C 06BE uid Simon Josefsson simon@josefsson.org
If that command fails because you don't have the required public key, or that public key has expired, try the following commands to retrieve or refresh it, and then rerun the 'gpg --verify' command.
gpg --locate-external-key simon@josefsson.org
gpg --recv-keys 51722B08FE4745A2
wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=inetutils&dow...' | gpg --import -
As a last resort to find the key, you can try the official GNU keyring:
wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg gpg --keyring gnu-keyring.gpg --verify inetutils-2.6.tar.gz.sig
Use the .proof file to verify the Sigsum proof. These files are like signatures with extra transparency: you can cryptographically verify that every proof is logged in a public append-only log, so you can say with confidence what signatures exists. This helps to protect against secret (targetted and/or malicious) releases.
If you want some inspiration for why the above paragraph is true:
https://git.glasklar.is/rgdd/age-release-verify
I'd love to see a similar prototype for your use-case!
Our releases are Sigsum signed with the following public key:
cat <<EOF > inetutils-sigsum-key.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE EOF
You may use the following Sigsum verification policy:
cat <<EOF > inetutils-sigsum-trust-policy.txt log 154f49976b59ff09a123675f58cb3e346e0455753c3c3b15d465dcb4f6512b0b https://poc.sigsum.org/jellyfish
Jellyfish is a prototype log -- I'd recommend that you use seasalp, Glasklar's production log. See https://www.sigsum.org/services/.
witness poc.sigsum.org/nisse 1c25f8a44c635457e2e391d1efbca7d4c2951a0aef06225a881e46b98962ac6c witness rgdd.se/poc-witness 28c92a5a3a054d317c86fc2eeb6a7ab2054d6217100d0be67ded5b74323c5806
These test/prototype witnesses are not available for seasalp. Glasklar isn't running a stable witness yet (ln5 is working on fixing that the coming weeks; I'm also told a few other organizations are looking to start running witnesses). The witness cosignatures that you see on
https://seasalp.glasklar.is/get-tree-head
are all from Google TrustFabric's witness which runs from 15 different vantage points. I'd suggest using a majority policy (8/15 cosignatures). Such a policy for seasalp would look like this:
log 0ec7e16843119b120377a73913ac6acbc2d03d82432e2c36b841b09a95841f25 https://seasalp.glasklar.is
witness ArmoredWitness-falling-pond 54c4862caba4ef942fe1abc6afb65d63cba0a55d3e6313ff59154b8586d882e2 witness ArmoredWitness-weathered-rain 62db94aa7926e8b2ae0461e9ebf69cd2795c077eb1cfe63360f61d6fdbe1de52 witness ArmoredWitness-wispy-wood 456f659e0b0efa658e3a2895e2775a7c6754ae09d5842241bb603d649517068f witness ArmoredWitness-small-breeze 00166295237c618f42258e82deac2d66a9d0ff6b54e7be39fbb6b8d65b3b8143 witness ArmoredWitness-quiet-wood 9b71799be731b15fe9b54f37cd6f22f9499d3e3309dabcb588bf82e234844913 witness ArmoredWitness-morning-darkness 7ba003654674398b62dd70ab369a3f750a48670354d66f79125827514a0b9fbd witness ArmoredWitness-shy-wind 198bed2687bcf60fc246eae3583f2a9764287ece65aa1aa9f2b6b04a1628be1d witness ArmoredWitness-hidden-river dae934c7cc1f45ba898a3dfe1265d492a6c58405ddec143fc16f84a0f588e3a5 witness ArmoredWitness-autumn-wood eb085426da77b81b534ec99c0e987d90f4aa0e01d5cf31178212767b7dbe38a9 witness ArmoredWitness-snowy-sound 0b85b9d46ccbd1cfa78a19b04f8fc4359538390c9d82675e89d2433217aaad50 witness ArmoredWitness-throbbing-bird 98149a5d739b3baa777128f617531ce8b654d24502a7e151244cc5b7597667bc witness ArmoredWitness-rough-wind ea31934afb8632958de2fb37dd9bfabb8dc7961dea67a6ae4c57f1a1ca26eef7 witness ArmoredWitness-dry-sunset 03f38be7ab7f1081be393a9e69dd594d9a184a0eef36b0a1ab6f7a7f05beffc3 witness ArmoredWitness-nameless-firefly 075189980cc1388fa8686c7432028812de3182e257e219463f7cf28d49d573dd witness ArmoredWitness-floral-sky e90299398a4d39d030da888a0923ecf16786881ac12243db73c9f0cf2a2d80e6 group GoogleTrustFabric 8 ArmoredWitness-falling-pond ArmoredWitness-weathered-rain ArmoredWitness-wispy-wood ArmoredWitness-small-breeze ArmoredWitness-quiet-wood ArmoredWitness-morning-darkness ArmoredWitness-shy-wind ArmoredWitness-hidden-river ArmoredWitness-autumn-wood ArmoredWitness-snowy-sound ArmoredWitness-throbbing-bird ArmoredWitness-rough-wind ArmoredWitness-dry-sunset ArmoredWitness-nameless-firefly ArmoredWitness-floral-sky
quorum GoogleTrustFabric
This is not listed on www.sigsum.org yet. For the script I ran and did a bit of cut-and-paste from to extract the appropriate public keys, see:
https://www.rgdd.se/volatile/aw-config
-Rasmus
group demo-quorum-rule all poc.sigsum.org/nisse rgdd.se/poc-witness quorum demo-quorum-rule EOF
Run a command like this to verify downloaded artifacts:
sigsum-verify -k inetutils-sigsum-key.pub \ -p inetutils-sigsum-trust-policy.txt \ inetutils-2.6.tar.gz.proof < inetutils-2.6.tar.gz
You may learn more about Sigsum concepts and find instructions how to download the tools here: https://www.sigsum.org/getting-started/
This release is based on the inetutils git repository, available as
git clone https://git.savannah.gnu.org/git/inetutils.git
with commit 346d839db35faa4beb755edfa3b962c87005fcb5 tagged as v2.6.
For a summary of changes and contributors, see:
https://git.sv.gnu.org/gitweb/?p=inetutils.git;a=shortlog;h=v2.6
or run this command from a git-cloned inetutils directory:
git shortlog v2.5..v2.6
This release was bootstrapped with the following tools: Gnulib 2025-01-02 e7d6a9e033ff82d5bd7f001d6d1a17bd6cc9607c Autoconf 2.71 Automake 1.16.5 Bison 3.8.2 M4 1.4.19 Makeinfo 7.1.1 Help2man 1.49.2 Make 4.3 Gzip 1.13 Tar 1.34 Guix 831b94a1efcea8f793afc949b5123a6235c9bb1a
NEWS
- Noteworthy changes in release 2.6 (2025-01-07) [stable]
...