#917 add Minisign/Signify source verification documentation
Opened 11 months ago by fkooman. Modified 11 months ago
fkooman/packaging-committee minisign-source-verification  into  master

@@ -121,7 +121,7 @@ 

  

  == Source File Verification

  

- Where the upstream project publishes OpenPGP signatures of their releases,

+ Where the upstream project publishes OpenPGP or Minisign/Signify signatures of their releases,

  Fedora packages *SHOULD* verify that signature as part of the RPM build process.

  

  Although a checksum in the sources file certifies that a file retreived from the lookaside cache is the one that the packager uploaded,

@@ -131,12 +131,13 @@ 

  

  === Obtaining the Correct Keys

  

- The verification method requires an OpenPGP keyring file

+ For OpenPGP the verification method requires an OpenPGP keyring file

  with one or more public keys from the upstream project.

  The keyring shall contain all the keys that are trusted to certify the authenticity of the sources,

- and *MUST NOT* contain any other keys.

+ and *MUST NOT* contain any other keys. For Minisign/Signify the public key of

+ the signer is required.

  

- Ideally the upstream project publishes such a keyring as a downloadable file.

+ Ideally the upstream project publishes such a keyring or public key as a downloadable file.

  You shall download that file

  and do everything you reasonably can to verify that it is authentic.

  Then you shall add it unmodified to the package SCM,

@@ -154,17 +155,18 @@ 

  When source file verification is done,

  it *MUST* be done first in the `%prep` section of the spec file,

  before any potentially compromised code is executed.

- The verification *MUST* be done with the macro `+%{gpgverify}+`,

+ For PGP the verification *MUST* be done with the macro `+%{gpgverify}+`,

  which expands into a command

  whose parameters shall be the pathnames of the keyring, the signature and the signed file.

- `BuildRequires: gnupg2` is necessary for the verification to work.

+ `BuildRequires: gnupg2` is necessary for the verification to work. For Minisign/Signify 

+ signatures, `BuildRequires: minisign` is required.

  

  Any detached signature file

- (e.g. foo.tar.gz.asc or foo.tar.gz.sig)

+ (e.g. foo.tar.gz.asc, foo.tar.gz.sig, foo.tar.gz.minisig)

  must be uploaded to the package lookaside cache alongside the source code,

  while the keyring must be committed directly to the package SCM.

  

- The following format must be used:

+ The following format must be used for PGP:

  

  ....

  Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz

@@ -177,18 +179,31 @@ 

  %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'

  ....

  

+ For Minisign/Signify:

+ 

+ ....

+ Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz

+ Source1: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz.minisig

+ Source2: https://www.example.com/20190721.minisign.pub

+ …

+ BuildRequires: minisign

+ …

+ %prep

+ /usr/bin/minisign -V -m %{SOURCE0} -x %{SOURCE1} -p %{SOURCE2}

+ ....

+ 

  The first source is the actual tarball,

  the second one is the signature from upstream,

- and the third one is the keyring.

+ and the third one is the keyring or public key.

  

  === Exceptions

  If the upstream tarball of a package needs to be modified,

  for example because it contains forbidden items,

  then the tarball cannot be verified as part of the build process.

- In this case the upstream OpenPGP keyring must still be included in the package SCM

+ In this case the upstream OpenPGP keyring/public key must still be included in the package SCM

  and the instructions/script used to build the stripped-down tarball needs to verify the upstream source.

  

- If the upstream project does not publish a keyring file

+ For PGP, if the upstream project does not publish a keyring file

  (for example if they publish only a fingerprint on their website

  and refer to a keyserver network for downloading the key),

  then you may need to create a keyring after you have verified the key.