#11 Enable GPG-based source file verification
Merged 2 months ago by tstellar. Opened 2 months ago by tstellar.
rpms/ tstellar/lld gpg-verify  into  master

file modified
+1

@@ -20,3 +20,4 @@ 

  /lld-9.0.0rc2.src.tar.xz

  /lld-9.0.0rc3.src.tar.xz

  /lld-9.0.0.src.tar.xz

+ /lld-9.0.0.src.tar.xz.sig

file added
+52

@@ -0,0 +1,52 @@ 

+ -----BEGIN PGP PUBLIC KEY BLOCK-----

+ 

+ mQINBFS+1SABEACnmkESkY7eZq0GhDjbkWpKmURGk9+ycsfAhA44NqUvf4tk1GPM

+ 5SkJ/fYedYZJaDVhIp98fHgucD0O+vjOzghtgwtITusYjiPHPFBd/MN+MQqSEAP+

+ LUa/kjHLjgyXxKhFUIDGVaDWL5tKOA7/AQKl1TyJ8lz89NHQoUHFsF/hu10+qhJe

+ V65d32MXFehIUSvegh8DrPuExrliSiORO4HOhuc6151dWA4YBWVg4rX5kfKrGMMT

+ pTWnSSZtgoRhkKW2Ey8cmZUqPuUJIfWyeNVu1e4SFtAivLvu/Ymz2WBJcNA1ZlTr

+ RCOR5SIRgZ453pQnI/Bzna2nnJ/TV1gGJIGRahj/ini0cs2x1CILfS/YJQ3rWGGo

+ OxwG0BVmPk0cmLVtyTq8gUPwxcPUd6WcBKhot3TDMlrffZACnQwQjlVjk5S1dEEz

+ atUfpEuNitU9WOM4jr/gjv36ZNCOWm95YwLhsuci/NddBN8HXhyvs+zYTVZEXa2W

+ l/FqOdQsQqZBcJjjWckGKhESdd7934+cesGD3O8KaeSGxww7slJrS0+6QJ8oBoAB

+ P/WCn/y2AiY2syEKp3wYIGJyAbsm542zMZ4nc7pYfSu49mcyhQQICmqN5QvOyYUx

+ OSqwbAOUNtlOyeRLZNIKoXtTqWDEu5aEiDROTw6Rkq+dIcxPNgOLdeQ3HwARAQAB

+ tCFIYW5zIFdlbm5ib3JnIDxoYW5zQGNocm9taXVtLm9yZz6JAlUEEwECAD8CGwMG

+ CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEtsj5goK5ROOw1cJTD8MELjRa0F0F

+ Alpd+i0FCQ8FJo0ACgkQD8MELjRa0F3X3A//dBQLm6GmXlQFjxZbukTw0lZsevFR

+ M/6ljZTxp7bsC+HFzYoaCKv6rikaWzytxk//SOaLKrB4Z9HjAlpBMtyLl2Hk7tcZ

+ bPpFafNmQ+4KgWNjLXCvt9se8BGrQvGQUrbE6YowbXa2YIgxIVEncFzIECAsp/+N

+ xbMcZN5/X1PJxKi/N22gP4nn47muN6L3pKez3CXgWnhGYSc7BuD5ALWYH7yMYUem

+ d4jlXfu5xkBIqirj1arIYC9wmF4ldbLNDPuracc8LmXcSqa5Rpao0s4iVzAD+tkX

+ vE/73m3rhepwBXxrfk0McXuI9aucf5h4/KkIBzZsaJ6JM1tzlrJzzjaBKJF9OI5T

+ jA0qTxdGzdPztS8gPaPcMkRFfh9ti0ZDx4VeF3s8sOtmMRHeGEWfxqUAbBUbwFsa

+ JDu/+8/VO4KijfcuUi8tqJ/JHeosCuGE7TM93LwJu6ZcqMYOPDROE/hsnGm0ZU92

+ xedu+07/X1ESHkSFPoaSHD5/DCNa/tXIyJZ8X7gF3eoDP5mSmrJqIqsOBR9WOVYv

+ dI8i0GHTXbrZj8WXdoS+N8wlyMLLbAS2jvTe7M5RoqbLz4ABOUUnLVoEE0CiccVZ

+ bW75BPxOfaD0szbinAeX6HDPI7St0MbKrRPjuDXjD0JVkLqFINtZfYLGMLss4tgn

+ suefr0Bo9ISwG3u5Ag0EVL7VIAEQAOxBxrQesChjrCqKjY5PnSsSYpeb4froucrC

+ 898AFw2DgN/Zz+W7wtSTbtz/GRcCurjzZvN7o2rCuNk0j0+s1sgZZm2BdldlabLy

+ +UF/kSW1rb5qhfXcGGubu48OMdtSfok9lOc0Q1L4HNlGE4lUBkZzmI7Ykqfl+Bwr

+ m9rpi54g4ua9PIiiHIAmMoZIcbtOG1KaDr6CoXRk/3g2ZiGUwhq3jFGroiBsKEap

+ 2FJ1bh5NJk2Eg8pV7fMOF7hUQKBZrNOtIPu8hA5WEgku3U3VYjRSI3SDi6QXnDL+

+ xHxajiWpKtF3JjZh8y/CCTD8PyP34YjfZuFmkdske5cdx6H0V2UCiH453ncgFVdQ

+ DXkY4n+0MTzhy2xu0IVVnBxYDYNhi+3MjTHJd9C4xMi9t+5IuEvDAPhgfZjDpQak

+ EPz6hVmgj0mlKIgRilBRK9/kOxky9utBpGk3jEJGru/hKNloFNspoYtY6zATAr8E

+ cOgoCFQE0nIktcg3wF9+OCEnV28/a7XZwUZ7Gl/qfOHtdr374wo8kd8R3V8d2G9q

+ 5w0/uCV9NNQ0fGWZDPDoYt6wnPL6gZv/nJM8oZY+u0rC24WwScZIniaryC4JHDas

+ Ahr2S2CtgCvBgslK6f3gD16KHxPZMBpX73TzOYIhMEP/vXgVJbUD6dYht+U9c4Oh

+ EDJown0dABEBAAGJAjwEGAECACYCGwwWIQS2yPmCgrlE47DVwlMPwwQuNFrQXQUC

+ Wl36SwUJDwUmqwAKCRAPwwQuNFrQXT1/D/9YpRDNgaJl3YVDtVZoeQwh7BQ6ULZT

+ eXFPogYkF2j3VWg8s9UmAs4sg/4a+9KLSantXjX+JFsRv0lQe5Gr/Vl8VQ4LKEXB

+ fiGmSivjIZ7eopdd3YP2w6G5T3SA4d2CQfsg4rnJPnXIjzKNiSOi368ybnt9fL0Y

+ 2r2aqLTmP6Y7issDUO+J1TW1XHm349JPR0Hl4cTuNnWm4JuX2m2CJEc5XBlDAha9

+ pUVs+J5C2D0UFFkyeOzeJPwy6x5ApWHm84n8AjhQSpu1qRKxKXdwei6tkQWWMHui

+ +TgSY/zCkmD9/oY15Ei5avJ4WgIbTLJUoZMi70riPmU8ThjpzA7S+Nk0g7rMPq+X

+ l1whjKU/u0udlsrIJjzkh6ftqKUmIkbxYTpjhnEujNrEr5m2S6Z6x3y9E5QagBMR

+ dxRhfk+HbyACcP/p9rXOzl4M291DoKeAAH70GHniGxyNs9rAoMr/hD5XW/Wrz3dc

+ KMc2s555E6MZILE2ZiolcRn+bYOMPZtWlbx98t8uqMf49gY4FGQBZAwPglMrx7mr

+ m7HTIiXahThQGOJg6izJDAD5RwSEGlAcL28T8KAuM6CLLkhlBfQwiKsUBNnh9r8w

+ V3lB+pV0GhL+3i077gTYfZBRwLzjFdhm9xUKEaZ6rN1BX9lzix4eSNK5nln0jUq1

+ 67H2IH//2sf8dw==

+ =ADVe

+ -----END PGP PUBLIC KEY BLOCK-----

file modified
+11 -2

@@ -1,5 +1,5 @@ 

  #%%global rc_ver 3

- %global baserelease 3

+ %global baserelease 4

  %global lld_srcdir lld-%{version}%{?rc_ver:rc%{rc_ver}}.src

  %global maj_ver 9

  

@@ -14,9 +14,11 @@ 

  

  License:	NCSA

  URL:		http://llvm.org

- Source0:	http://%{?rc_ver:pre}releases.llvm.org/%{version}/%{?rc_ver:rc%{rc_ver}}/%{lld_srcdir}.tar.xz

+ Source0:	https://%{?rc_ver:pre}releases.llvm.org/%{version}/%{?rc_ver:rc%{rc_ver}}/%{lld_srcdir}.tar.xz

  Source1:	run-lit-tests

  Source2:	lit.lld-test.cfg.py

+ Source3:	https://%{?rc_ver:pre}releases.llvm.org/%{version}/%{?rc_ver:rc%{rc_ver}}/%{lld_srcdir}.tar.xz.sig

+ Source4:	https://releases.llvm.org/9.0.0/hans-gpg-key.asc

  

  Patch0:		0001-CMake-Check-for-gtest-headers-even-if-lit.py-is-not-.patch

  

@@ -34,6 +36,9 @@ 

  BuildRequires:	python3-lit

  BuildRequires:	llvm-googletest = %{version}

  

+ # For gpg source verification

+ BuildRequires:	gnupg2

+ 

  Requires(post): %{_sbindir}/alternatives

  Requires(preun): %{_sbindir}/alternatives

  

@@ -66,6 +71,7 @@ 

  LLVM regression tests.

  

  %prep

+ %{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE3}' --data='%{SOURCE0}'

  %autosetup -n %{name}-%{version}%{?rc_ver:rc%{rc_ver}}.src -p1

  

  %build

@@ -174,6 +180,9 @@ 

  %{_datadir}/lld/lit.lld-test.cfg.py

  

  %changelog

+ * Thu Dec 05 2019 Tom Stellard <tstellar@redhat.com> - 9.0.0-4

+ - Enable GPG-based source file verification

+ 

  * Thu Dec 05 2019 Tom Stellard <tstellar@redhat.com> - 9.0.0-3

  - Add lld-test package

  

file modified
+1

@@ -1,1 +1,2 @@ 

  SHA512 (lld-9.0.0.src.tar.xz) = bc4812232840ef5edbd8edf1d1a329e85a4bfd3a7859fe322e11dd053435e722c6f1140a718fd2b3524ee9783a357178d2ba30d12519847bd3acc294698007f3

+ SHA512 (lld-9.0.0.src.tar.xz.sig) = f16a510d7ba2d86b4abdc3cc073f37ef96f66eae3306cb9b66e38ed5d18bc767300d8b6a7332e22a3efbd3b381a20f84fcc3398b7041cd55481938fd79fffc7b

no initial comment

If you download both the key and the .sig from the same (potentially compromised) website, then you're not actually adding security, right?
Because of the source mecanism in fedora, it's a bit better, because you're actually downloading the key only once, and then leave it to the fedora cache system to handle it, but still, I'd have a better confidence if that (small) file were stored in git, so that anyone could verify that it's Hans' key.

I tried to follow the official guidelines: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification . I'm not sure how much we can deviate from that, but are you saying both the key and .sig file should be in git?

I failed to notice that the key is actually in the git (I thought it was in the fedora cache system). As the key is in the git, anyone can verify it and compare it to other sources, that's okay. The problem is more on the llvm side, as if the llvm server is compromised, both the .asc and the .sig can be compromised at the same time. The .asc looks correct, at least it's the same as in https://pgp.key-server.io/pks/lookup?search=hans%40chromium.org&fingerprint=on&op=vindex, LGTM then.

Maybe we should refer to the https source?

rebased onto 0968bb5

2 months ago

Maybe we should refer to the https source?

The documentation says to do this too. I've fixed it now.

Pull-Request has been merged by tstellar

2 months ago