Zandronum Chat @ irc.zandronum.com
#zandronum
Get the latest version: 3.0
Source Code

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003275Doomseeker[All Projects] Suggestionpublic2017-09-25 16:422018-10-27 22:53
ReporterWubTheCaptain 
Assigned ToBlzut3 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version1.2Fixed in Version1.2 
Summary0003275: Sign tarball releases with OpenPGP keys
DescriptionPlease sign tarball releases of Doomseeker, its plugins and libwadseeker with OpenPGP keys. This is used for cryptographic integrity verification.

For an additional benefit, this would prevent a malicious actor from replacing the downloads with malicious versions undetected without also possessing the private key to sign the releases.

Debian also makes a recommendation to sign tarballs in their Upstream Guide.
Steps To ReproduceSignature files should appear at:https://doomseeker.drdteam.org/files/ [^]
Additional Informationhttps://wiki.debian.org/UpstreamGuide#Tarballs [^]

OpenPGP signatures can be created with free software (GnuPG):https://gnupg.org/ [^]
Attached Files

- Relationships
child of 0003279acknowledged List of Debian issues (misc/non-policy) 
child of 0003483resolvedBlzut3 Doomseeker 1.2 release 

-  Notes
User avatar (0018406)
WubTheCaptain (developer)
2017-09-27 22:55
edited on: 2017-09-27 23:03

From a Debian maintainer's perspective, OpenPGP signatures are optionally used for quality control and maintenance with the uscan utility. Emphasis that this is completely optional to both the software and Debian maintainer. (Debian Policy Manual v4.1.0.0, section 4.11.)

User avatar (0019474)
WubTheCaptain (developer)
2018-09-01 12:16

Can this be a target for 1.2? I'd like to know if 0003483 should be related to this ticket.
User avatar (0019699)
Blzut3 (administrator)
2018-09-24 02:05

Captured generation of signatures inhttps://bitbucket.org/Doomseeker/doomseeker/commits/9c0b8812f164a752f2cbbff7c6c68394c704355d [^]
User avatar (0020014)
WubTheCaptain (developer)
2018-10-08 11:18

I'm not sure how one is supposed to test this.
User avatar (0020032)
Blzut3 (administrator)
2018-10-08 20:58

Pretty much why I only tagged it as needs review. If the script spits out signature files in the format you expect (obviously with your key instead of mine) then that's enough to say this ticket is resolved.
User avatar (0020041)
WubTheCaptain (developer)
2018-10-08 21:54

I mean, the script itself doesn't provide any description of usage. I also can't read bash well, my expertise goes to POSIX sh scripts. What the heck is "Arg:7" and where/what are the args 3–6?
User avatar (0020043)
WubTheCaptain (developer)
2018-10-08 22:36

It took me a lot of guesswork from reading the lines the usage is `./makesourcepackages.sh --sign=$fingerprint`, where $fingerprint is one of GnuPG key fingerprints. This is counter-intuitive in many ways (contradicting POSIX?).

Because I can't read the script with immediate clarity anyway, it'd not pass my code review but I'd kindly request a rewrite. I'm not going to do that myself, not yet at least.

I still have no idea how the script works. But it does.
User avatar (0020044)
WubTheCaptain (developer)
2018-10-08 22:41
edited on: 2018-10-09 10:20

Quote from WubTheCaptain
I still have no idea how the script works. But it does.


Badly, if I may add. Doing the slow process of getting stuff ready before attempting signing, only to possibly error and bail out late that the key was incorrect (e.g., expired). Frustrated me at least.

User avatar (0020045)
Blzut3 (administrator)
2018-10-08 23:28

I have no idea how you can't follow that script. I don't use gpg much so honestly I don't know anything about selecting keys besides that it's done with -u. But I only have one key so I just use `--sign` and be done with it. I wanted to have it show the key it was going to use, but I couldn't figure out how to have gpg just give the fingerprint of the default key. (I can easily find how to list all keys and how to set the default, but how to see the default I gave up on.)

"${Arg:7}" is a substring. See bash man page.

Anyways the first thing it does (line 117) is extract the versions from the CMake files. This is done by running CMake in script mode including the version definitions and having it print out the result. Nothing fancy here just using the correct tool to parse the file. Unfortunately CMake always writes to stderr so that's a little ugly. Once it has those it strips the beta tag off it using bash suffix removal of ~ and everything following.

Next we use Mercurial to create a directory with the committed code ready for archiving. This prevents working copy changes from polluting the release.

Heading into the create_vcs_info call: A build directory is setup and the revesion_check target is built and run in order to generate the gitinfo.h. This works since update revision modifies the source tree which previously caused builds to be non-reproducible. But since we build it here it's baked into the source tarball and not touched when the end user builds the release.

We are now done with the magic and head into the most straight forward code ever: Creating two tar balls. I use tar piped into xz since I'm too lazy to figure out how to have tar do it with maximum compression. Plus it's more portable like that I guess.

Lastly, if the --sign option was given sign_archive will generate gpg signatures. If this fails then it's the same as if you called no-sign except that you'll get an error in the return code.

So which part of this was hard to read? "I don't understand the language you wrote it in" is not a valid reason to rewrite.
User avatar (0020049)
WubTheCaptain (developer)
2018-10-09 10:24
edited on: 2018-10-09 10:25

It is all so unconventional and non-portable, that is all.


Issue Community Support
This issue is already marked as resolved.
If you feel that is not the case, please reopen it and explain why.
Supporters: No one explicitly supports this issue yet.
Opponents: No one explicitly opposes this issue yet.

- Issue History
Date Modified Username Field Change
2017-09-25 16:42 WubTheCaptain New Issue
2017-09-25 17:37 Zalewa Relationship added child of 0003246
2017-09-27 22:32 WubTheCaptain Relationship added child of 0003279
2017-09-27 22:32 WubTheCaptain Relationship deleted child of 0003246
2017-09-27 22:55 WubTheCaptain Note Added: 0018406
2017-09-27 22:56 WubTheCaptain Note Edited: 0018406 View Revisions
2017-09-27 22:56 WubTheCaptain Note Edited: 0018406 View Revisions
2017-09-27 23:03 WubTheCaptain Note Edited: 0018406 View Revisions
2018-09-01 12:16 WubTheCaptain Note Added: 0019474
2018-09-24 01:14 Blzut3 Target Version => 1.2
2018-09-24 01:15 Blzut3 Assigned To => Blzut3
2018-09-24 01:15 Blzut3 Status new => assigned
2018-09-24 01:15 Blzut3 Relationship added related to 0003483
2018-09-24 02:05 Blzut3 Note Added: 0019699
2018-09-24 02:05 Blzut3 Status assigned => needs review
2018-10-01 03:34 WubTheCaptain Status needs review => needs testing
2018-10-01 04:05 WubTheCaptain Relationship replaced child of 0003483
2018-10-06 09:02 WubTheCaptain Priority high => normal
2018-10-08 11:18 WubTheCaptain Note Added: 0020014
2018-10-08 20:58 Blzut3 Note Added: 0020032
2018-10-08 21:54 WubTheCaptain Note Added: 0020041
2018-10-08 22:36 WubTheCaptain Note Added: 0020043
2018-10-08 22:41 WubTheCaptain Note Added: 0020044
2018-10-08 23:28 Blzut3 Note Added: 0020045
2018-10-09 10:20 WubTheCaptain Note Edited: 0020044 View Revisions
2018-10-09 10:24 WubTheCaptain Note Added: 0020049
2018-10-09 10:24 WubTheCaptain Status needs testing => resolved
2018-10-09 10:24 WubTheCaptain Fixed in Version => 1.2
2018-10-09 10:24 WubTheCaptain Resolution open => fixed
2018-10-09 10:25 WubTheCaptain Note Edited: 0020049 View Revisions
2018-10-27 22:53 WubTheCaptain Status resolved => closed






Questions or other issues? Contact Us.

Links


Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker