From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 26997158086 for ; Wed, 8 Dec 2021 15:29:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9FA83E0831; Wed, 8 Dec 2021 15:29:27 +0000 (UTC) Received: from cloudsdale.the-delta.net.eu.org (cloudsdale.the-delta.net.eu.org [IPv6:2a01:4f8:1c17:4b6d::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B0EF9E0814 for ; Wed, 8 Dec 2021 15:29:24 +0000 (UTC) Received: by cloudsdale.the-delta.net.eu.org (OpenSMTPD) with ESMTP id 6be7b2d6 for ; Wed, 8 Dec 2021 15:29:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=hacktivis.me; h=date :from:to:message-id:mime-version:content-type; s= 20190711_142157; bh=POijBb2R79jUvu9RuJFB6fw/2TsXxBXW7fR45umVank=; b= lHlnIRa5eZp+1to1SblZjL8wxMawshOOfjhRte6i7Qu6H8JqMr9o6GRRhTshtqRo UPRmGdcGyLsHXqhpfq4BQ1Oee3ymK8P1PgydOnlVvJ+07LSD//2pP8TnoL6RKp3B nGpVR+dhc/jVV4mt04EpPDNnv214H0alTXogJbdQkAyuk+CaB5/NNLi8Qp33E9KG t19m79Eb7pnnAEfEiuZ5jMevFmuVaZCHY6Ye2mMB/nQvC9Ddc3cmOJ3I28nKEIby f/hEoYZ/YN/J45BU/xpgnndUG78o0PZF6wH2SseTkw2b6+twqRxkGpOkmH70ilkA OML0vS1zNDw4FsSuT3BK1N44w8CDxP4vwr3jI3c3Nuh78gjb63On9sHT6Tn4PWng BICToqiW5cZTUY9srYA65n4dNIdQhkvmsxIeqg+KLn6Xaop77rLeVMIBJf8mst0t zLm0EkCxELIE019csSmDZPv7PfzgtuIRfl8zhMJw+SaQQNodaFe05zIWLHG6vfUm cU+cKJWl1dumVY6Or10Fz5GhjFfXff4XsC5/JwbVPzDHKmwy7LUJJN9XKNgHve47 5wEaHZqNE7Az4IQSEEoPQuDqclTE3Hs+P3fQe4cZyXSxtP3J1iRb2xeabuMfGiQ/ Qy8GN5phNASt4v9av8wxlgoMo2ss0CFRNhGKiCKZ5VQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=hacktivis.me; h=date:from:to :message-id:mime-version:content-type; q=dns; s=20190711_142157; b= VEAa6rzeL3KzUR7m0IRiY9aYWehW1Hjq+EMMkNtTl4Ah9S0mpFevXufUwip4mEVe Ot0VPXB4EM5EFZmmskYEmq/82aUVr+mulZJQ03D5IY1NiFRXOvuZgnU1eHGyOZYj dN+UijVw8wadfqD7K7BiO8cpdDQCU3TWVAqYiGsfVGTawqlSE59Gp7uLnBNtg4tg NX7XJvAIbNwPCxM2jg2MJ/NXNR8u9RG6Nf4DxYHXUtj9zxblJgq3QaYWEWOa2h2E BkKfMhefA2MlDuWkma2evMQ3EWoSfXEY5rx9c3NlvPVe0/XZHEx0oLz1/EP+2JzF +QlX5lBenRU2YCjuvjFSpLhfF5eyULQ0dzCFHBIfgS77k8HibNDmDVpfWmU+DMyS z2CXbgVOLR3pxZJsfIT6JVsDoJMLjbtmR+dmdIZ8O42xxR0ZUkfJvCRAbC5pz+t6 +2lDhY6PJc5iIrZwZB/ZtPpXKPLuVinjZqa+S/u1yJglxYozm0HdPxLkcSQYb7k/ XX4IKePbOqIJw8M9qX5MTIZYubAUxnwQD63zC54h7Ai7KKW5BgAhVVK03Og5UELW X2/cFZkxcfG2AtaC88hfNHOIw+2IQvw5fTm1c3bT7Xl4aW+/m9DjRiZlhMf+dLR4 0R6A7v3yuLlGgCaz1yhEr474vjdae7198YJYqKhCvSs= Received: from localhost (cloudsdale.the-delta.net.eu.org [local]) by cloudsdale.the-delta.net.eu.org (OpenSMTPD) with ESMTPA id 5cf8d4a9 for ; Wed, 8 Dec 2021 15:29:23 +0000 (UTC) Date: Wed, 8 Dec 2021 16:29:23 +0100 From: "Haelwenn (lanodan) Monnier" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline X-Archives-Salt: 7abd7272-d995-40ed-9cc1-7f8b6f5660df X-Archives-Hash: f0e283160e98b25f489ff7d12ab80bc9 [2021-12-08 19:28:24+0500] Anna Vyalkova: > On 2021-12-08 13:54, Haelwenn (lanodan) Monnier wrote: > > >+case ${VERIFY_SIG_IMPL} in > > >+ gnupg) > > >+ BDEPEND=" > > >+ verify-sig? ( > > >+ app-crypt/gnupg > > >+ >=app-portage/gemato-16 > > >+ )" > > >+ ;; > > >+ signify) > > >+ BDEPEND="verify-sig? ( app-crypt/signify )" > > > > Might be worth it to depend on app-crypt/minisign instead or depend on any. > > minisign is already stabilized and I slightly prefer it's implementation over > > the ported signify as there is no vendoring. > > That said minisign could be considered bloated compared to signify. > > $ minisign -Vp /usr/share/openpgp-keys/gmid-1.7.pub -m SHA256 -x SHA256.sig -o > Trusted signature comment should start with "trusted comment: " > > It doesn't work :/ > Also it has no "verify signed checksums list" mode. Not sure what your files are but those two are definitely bugs in minisign. :/ > > >+ case ${VERIFY_SIG_IMPL} in > > >+ gnupg) > > >+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \ > > >+ gpg --verify "${sig}" "${file}" || > > >+ die "PGP signature verification failed" > > >+ ;; > > >+ signify) > > >+ signify -V -p "${key}" -m "${file}" -x "${sig}" || > > >+ die "PGP signature verification failed" > > > > Should be something like "Signify signature verification failed". > > It's still PGP, so the message is accurate. Having different messages > would be inconsistent. That's what I think. Nah, signify has nothing to do with OpenPGP, they are entirely different. OpenPGP is defined in RFC4880 and is implemented by PGP, GnuPG and NetPGP. It notably has non-rotable identity keys, subkeys, keyservers and a web-of-trust. Signify is just barebones signatures from one simple key, with rotation being intended and no designed network protocol. See https://flak.tedunangst.com/post/signify for details.