GNU bug report logs - #55666
enhancement request - SHA-256 for emacs downloads

Previous Next

Package: emacs;

Reported by: Ali Elshishini <shishini <at> outlook.com>

Date: Thu, 26 May 2022 20:27:02 UTC

Severity: wishlist

Tags: wontfix

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ali Elshishini <shishini <at> outlook.com>
To: Eli Zaretskii <eliz <at> gnu.org>, Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: "55666 <at> debbugs.gnu.org" <55666 <at> debbugs.gnu.org>
Subject: bug#55666: enhancement request - SHA-256 for emacs downloads
Date: Sat, 28 May 2022 00:43:28 +0000

[Message part 1 (text/plain, inline)]
Hi Eli

Thanks for pointing out the announcement email
Unfortunately it doesn't include the SHA hashes for the windows files

Also verify the signature on windows I am not sure if this is the expected output
for me look like it failed

From command line

PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B
gpg: key E78DAE0F3115E06B: "Eli Zaretskii <eliz <at> gnu.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
gpg: assuming signed data in '.\emacs-28.1.zip'
gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
gpg:                using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: Can't check signature: No public key
PS C:\downloads>

From UI

[cid:ffde0eec-a938-43f4-acc5-c100d4e99514]

I think adding the SHA hashes somewhere remains a valuable addition
using and verifying signature on windows is more complicated than it needs to be

Regards
Ali

________________________________
From: Eli Zaretskii <eliz <at> gnu.org>
Sent: May 27, 2022 8:28 AM
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: shishini <at> outlook.com <shishini <at> outlook.com>; 55666 <at> debbugs.gnu.org <55666 <at> debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads

> Cc: 55666 <at> debbugs.gnu.org
> From: Lars Ingebrigtsen <larsi <at> gnus.org>
> Date: Fri, 27 May 2022 12:59:25 +0200
>
> Ali Elshishini <shishini <at> outlook.com> writes:
>
> > May you please include a list of SHA-256 hashes for the downloads in
> > https://www.gnu.org/software/emacs/download.html
> >
> > This will provide an easy and secure way to verify downloads
> > Please note that the experience to verify the signature on windows is very poor
> > and it for me at least ended up with the file nor being verified because of missing
> > public key
> >
> > A SHA-256 hash will be a simple solution
>
> That would require people to edit that web page every time they generate
> a package, which would be error prone and require too much work of the
> people who build the packages.
>
> The packages are signed, which I think should be more than sufficient,
> so I'm closing this bug report.

In addition, one can find the SHA values in the announcements made on
info-gnu-emacs.  Here's the one about Emacs 28.1:

  https://lists.gnu.org/archive/html/info-gnu-emacs/2022-04/msg00000.html

You can similarly search for announcements of the older releases.

[Message part 2 (text/html, inline)]
[image.png (image/png, inline)]
This bug report was last modified 2 years and 359 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.