GNOME Bugzilla – Bug 774000
File integrity of source tarballs
Last modified: 2018-09-21 16:26:10 UTC
Hello, There is currently no GPG signature to verify that the latest source is actually the one you have created. This is particularly important since there have been recent attacks which replaced files on upstream servers. Take for example the Linux Mint hack earlier this year. (https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/) I would like to request that you please upload a SHA512 checksum of your libsecret tar.gz files, as well as sign the SHA512 with a GPG signature. (https://download.gnome.org/sources/libsecret/) Technical documentation on how to do this: http://docs.oracle.com/cd/E36784_01/html/E36870/sha512sum-1.html sha512sum * > SHA512SUMS https://help.ubuntu.com/community/GnuPrivacyGuardHowto https://access.redhat.com/solutions/1541303 gpg --clearsign -o SHA512SUMS.sign SHA512SUMS The resulting files, SHA512SUMS and SHA512SUMS.sign, can then be uploaded to your site (or on another site/server for added security), so that package maintainers can verify that the source is accurate and unhacked by a third-party prior to packaging. Thank you for your time and concern.
It looks like Stef pushed a change to the build scripts to sign the source tarballs, so this should be supported from 0.18.6 onwards. https://git.gnome.org/browse/libsecret/commit/?id=780ae410ce3c13ae3c08010a967e9cdfa14a4dad
I'm afraid it didn't work, because currently he ftpadmin command only accepts tarballs.
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/libsecret/issues/11.