Please PGP/GnuPG sign source tarballs

[marcusva]

Originally reported by: Franz Schrober (Bitbucket: franzschrober, GitHub: Unknown)

---

Distributions now try to verify upstream tarballs to easier detect manipulation by third parties. One of the steps is to have detached, ascii armored signatures done using the PGP/GnuPG signature key of the software author next to the actual source tarball.

Of course, this is only one check but at least this one can help: http://lists.opensuse.org/opensuse-factory/2012-12/msg00235.html https://wiki.debian.org/debian/watch/#Cryptographic_signature_verification

---

• Bitbucket: https://bitbucket.org/marcusva/py-sdl2/issue/69

[marcusva]

Original comment by Marcus von Appen (Bitbucket: marcusva, GitHub: marcusva):

---

New release source packages are signed now.

[marcusva]

Original comment by Franz Schrober (Bitbucket: franzschrober, GitHub: Unknown):

---

Not very much? When the distribution always checks against the same key before downloading a source.... I bet it helps a lot to identify the source of the tarball with a high probability. At least it would helped a lot in the past:

• https://sourceforge.net/blog/phpmyadmin-back-door/
• https://forums.unrealircd.org/viewtopic.php?t=6562
• https://forums.proftpd.org/smf/index.php?topic=5206.0
• http://lwn.net/Articles/450181/
• http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/
• http://scarybeastsecurity.blogspot.cz/2011/07/alert-vsftpd-download-backdoored.html
• http://www.h-online.com/open/news/item/Possible-backdoor-in-the-e107-CMS-913588.html
• ...

[marcusva]

Original comment by Marcus von Appen (Bitbucket: marcusva, GitHub: marcusva):

---

I won't sign any previous release. I'm fine with doing so for future releases, though one has to bear in mind that signing the source tarballs does not improve security very much.

[marcusva]

Original comment by anatoly techtonik (Bitbucket: techtonik, GitHub: techtonik):

---

That makes it much clearer. Thanks.

[marcusva]

Original comment by Franz Schrober (Bitbucket: franzschrober, GitHub: Unknown):

---

Most of the stuff is described in the links. Here is another post about how it is done. https://groups.google.com/d/msg/mupen64plus/FgXPLOMgGBE/rgv9rjotXFwJ

This cannot be solved by you because you are not the maintainer/release manager and the maintainer/release manager should do the signing.

What needs to be done:

• maintainer needs a GPG/PGP signature key (with enough cryptographical strength like RSA-4096)
• public key part must be uploaded to a key server
• the gpg key should have an uid with the e-mail address of the maintainer
• the gpg should also have an encryption key to allow the remote checking as described in the suse documents
• the release tarballs (hopefully all olds too) should get a detached signature as described in the suse documents or in the last link i've posted
• • gpg --detach-sign --armor PySDL2-0.9.3.tar.gz
• the signatures (filename + .asc) must be uploaded to the download page next to the release tarballs

And as extra step the signer of the keys must be reachable using the mail address to make a simple verification that the signature key belongs to the mail address.

[marcusva]

Original comment by anatoly techtonik (Bitbucket: techtonik, GitHub: techtonik):

---

You marked this as trivial. Can you describe how it should look like and what is the process? It would be nice if the process will be also Windows-compatible.