Closed n7s closed 4 years ago
devosb
commented
7 years ago To me it seems like the big question is do you use a gpg key with a passphrase? If you use a passphrase, then smith cannot generate a cryptographic signatures, as it would not be able to access the key. If there is no passphrase, if someone compromises the server they could gain access to the key and sign (maliciously) any files they modify.
n7s
commented
7 years ago Yes, we will have to assess the threat model. There is precedent and also documentation for doing this AFAICT.
n7s
commented
7 years ago First attempt in 5946d9f
bobh0303
commented
4 years ago Smith has been generating a checksum for quite a while now.
Debian (and possibly) others would like to have checksums (probably SHA512SUM) and cryptographic signatures (probably GPG .asc or .sig files) for released artifacts. We should investigate how feasible it is for smith to generate those for us.