GNU bug report logs - #47634
Accompany .asc and .DIGESTS keys for the ISO

Previous Next

Package: guix;

Reported by: bo0od <bo0od <at> riseup.net>

Date: Wed, 7 Apr 2021 05:43:01 UTC

Severity: normal

Tags: wontfix

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #20 received at submit <at> debbugs.gnu.org (full text, mbox):

From: bo0od <bo0od <at> riseup.net>
To: Carlo Zancanaro <carlo <at> zancanaro.id.au>, bug-guix <at> gnu.org,
 Leo Famulari <leo <at> famulari.name>
Cc: 47634 <at> debbugs.gnu.org
Subject: Re: bug#47634: Accompany .asc and .DIGESTS keys for the ISO
Date: Fri, 9 Apr 2021 22:17:47 +0000

> Which implies that the signatures are sufficient, right?

Well this is simple question but the answer is sorta deeper, So i will 
answer with yes and no:

yes signatures are sufficient but signatures with PGP has problems, In 
the suggestion above i didnt suggest to diverse the signing methods 
(like for example using signify alongside with gpg) but just adding 
extra steps better than one (more convenience to say that everything is 
going smoothly).

To understand what im talking about i suggest to read:

Why PGP on expiration time:

https://www.whonix.org/wiki/OpenPGP#Issues_with_PGP

Discussion which might consider deprecate the usage of PGP by debian:

https://wiki.debian.org/Teams/Apt/Spec/AptSign

Whonix already using signify alongside with PGP:

https://www.whonix.org/wiki/Signify

Also there are challenges to the concept itself:

https://www.whonix.org/wiki/Verifying_Software_Signatures#Conceptual_Challenges_in_Digital_Signatures_Verification



So I hope by complete reading that you will come to the conclusion that 
either provide as much as possible from extra verification (like 
.asc,DIGESTS,SHA512...etc) or provide alternative verification along 
side with the traditional one like using signify or using something like 
signify and thats it. (i think providing both methods like pgp/signify 
is the best way which suits everybody)




> 
> 
> On 9 April 2021 3:34:20 am AEST, bo0od <bo0od <at> riseup.net> wrote:
>> This is nicely written by Qubes documentation:
>>
>> https://www.qubes-os.org/security/verifying-signatures/
> 
>  From that page:
> 
>> If you’ve already verified the signatures on the ISO directly, then verifying digests is not necessary.
> 
> Which implies that the signatures are sufficient, right?
> 
> What is the benefit to providing the key (.asc) and hashes (.DIGESTS)? The page you linked provides rationale for providing and checking digital signatures, but we already provide them.
> 
> Carlo
>
This bug report was last modified 4 years and 39 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.