Rasmus Dahlberg rgdd@glasklarteknik.se writes:
I think a three character extension would be nice. I'm currently considering doing some software release announcements with sigsum proofs for the artifacts, and the verification instructions and filename extension/convention are the primary unclear parts now.
Nice -- what's you're timeline to not be blocked?
What would you recommend to write in a release announcement when including Sigsum proofs for release artifacts?
Below is a template announcement for some imaginary software, where I added text about Sigsum. I appreciate everyone's word smithing of the Sigsum-related content. Bonus points if you manage to shorten the text rather than adding text.
These aren't the most user friendly instructions that I've encountered, so please separately consider what you can do to improve tooling to allow more user friendly commands to verify a proof.
Btw, I plan to use my OpenPGP authentication key (i.e., not the signature key) from my Gnuk hardware dongle, exported via GnuPG's SSH agent, for use by sigsum-submit --signing-key to create *.proof. Does anyone see a problem with this? I don't know how to make my OpenPGP signature key from the Gnuk available via the SSH agent easily, has anyone done that? I haven't thought through the flow here. The threat I'm worried about is if some remote SSH server abuse my setup to make me sign some blob that may later be submitted to the Sigsum transparency log as a release signature? Is there sufficient domain context separation happening here? It doesn't feel intuitively safe.
/Simon
... Here is the GNU inetutils home page: https://gnu.org/s/inetutils/
Here are the compressed sources: https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.gz (2.9MB) https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.xz (1.7MB)
Here are the GPG detached signatures: https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.gz.sig https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.xz.sig
Here is minimal source-only "git archive" sources: https://ftpmirror.gnu.org/inetutils/inetutils-v2.6-src.tar.gz (820kB)
Here are Sigsum Proofs: https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.gz.proof https://ftpmirror.gnu.org/inetutils/inetutils-2.6.tar.xz.proof https://ftpmirror.gnu.org/inetutils/inetutils-v2.6-src.tar.gz.proof
Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html
Here are the SHA1 and SHA256 checksums:
ced45165aeda8a9584d291b81225d86be82e1a90 inetutils-2.6.tar.gz gra2UqTds+E0rwII1iW38faAJn3igu5Wau60BvaI+HI= inetutils-2.6.tar.gz a6576bacd408adf93017f44d35608f05c893c5d5 inetutils-2.6.tar.xz YuriPIWQhNnJci9Nu+NnddrLnPDbwVXaQ3AEnkl2OCM= inetutils-2.6.tar.xz
Verify the base64 SHA256 checksum with cksum -a sha256 --check from coreutils-9.2 or OpenBSD's cksum since 2007.
Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this:
gpg --verify inetutils-2.6.tar.gz.sig
The signature should match the fingerprint of the following key:
pub ed25519 2019-03-20 [SC] B1D2 BD13 75BE CB78 4CF4 F8C4 D73C F638 C53C 06BE uid Simon Josefsson simon@josefsson.org
If that command fails because you don't have the required public key, or that public key has expired, try the following commands to retrieve or refresh it, and then rerun the 'gpg --verify' command.
gpg --locate-external-key simon@josefsson.org
gpg --recv-keys 51722B08FE4745A2
wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=inetutils&dow...' | gpg --import -
As a last resort to find the key, you can try the official GNU keyring:
wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg gpg --keyring gnu-keyring.gpg --verify inetutils-2.6.tar.gz.sig
Use the .proof file to verify the Sigsum proof. These files are like signatures with extra transparency: you can cryptographically verify that every proof is logged in a public append-only log, so you can say with confidence what signatures exists. This helps to protect against secret (targetted and/or malicious) releases.
Our releases are Sigsum signed with the following public key:
cat <<EOF > inetutils-sigsum-key.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE EOF
You may use the following Sigsum verification policy:
cat <<EOF > inetutils-sigsum-trust-policy.txt log 154f49976b59ff09a123675f58cb3e346e0455753c3c3b15d465dcb4f6512b0b https://poc.sigsum.org/jellyfish witness poc.sigsum.org/nisse 1c25f8a44c635457e2e391d1efbca7d4c2951a0aef06225a881e46b98962ac6c witness rgdd.se/poc-witness 28c92a5a3a054d317c86fc2eeb6a7ab2054d6217100d0be67ded5b74323c5806 group demo-quorum-rule all poc.sigsum.org/nisse rgdd.se/poc-witness quorum demo-quorum-rule EOF
Run a command like this to verify downloaded artifacts:
sigsum-verify -k inetutils-sigsum-key.pub \ -p inetutils-sigsum-trust-policy.txt \ inetutils-2.6.tar.gz.proof < inetutils-2.6.tar.gz
You may learn more about Sigsum concepts and find instructions how to download the tools here: https://www.sigsum.org/getting-started/
This release is based on the inetutils git repository, available as
git clone https://git.savannah.gnu.org/git/inetutils.git
with commit 346d839db35faa4beb755edfa3b962c87005fcb5 tagged as v2.6.
For a summary of changes and contributors, see:
https://git.sv.gnu.org/gitweb/?p=inetutils.git;a=shortlog;h=v2.6
or run this command from a git-cloned inetutils directory:
git shortlog v2.5..v2.6
This release was bootstrapped with the following tools: Gnulib 2025-01-02 e7d6a9e033ff82d5bd7f001d6d1a17bd6cc9607c Autoconf 2.71 Automake 1.16.5 Bison 3.8.2 M4 1.4.19 Makeinfo 7.1.1 Help2man 1.49.2 Make 4.3 Gzip 1.13 Tar 1.34 Guix 831b94a1efcea8f793afc949b5123a6235c9bb1a
NEWS
* Noteworthy changes in release 2.6 (2025-01-07) [stable] ...