Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-4587

Verifying multiple OpenPGP signatures on a release

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: trunk
    • Fix Version/s: ---
    • Component/s: docs_www
    • Labels:
      None

      Description

      When we release Subversion source code we provide a concatenation of OpenPGP
      signatures from multiple developers in a single "$FILE.asc" file corresponding
      to each package, where $FILE is for example "subversion-1.9.0.tar.gz".
      
      It says in our instructions at
      http://subversion.apache.org/download/#verifying
      that "gpg --verify $FILE.asc" can be used to verify the signatures, but that
      works only when all the signatures are of the same kind. Often, some are of
      different kinds, and then GPG only verifies the first one, saying "WARNING:
      multiple signatures detected.  Only the first will be checked."
      
      Some options for improving the situation include:
      
        * Combine all our signatures into a single OpenPGP SIGNATURE block, as
      described at the end of
      <https://lists.gnupg.org/pipermail/gnupg-users/2013-July/047118.html>. Then a
      simple "gpg --verify $FILE.asc" will verify all the sigs in that block. (This
      solution won't fix the issue for people downloading previous releases unless we
      retrospectively update the .asc files for those.)
      
        * Write a script and/or find a commonly available program that will verify the
      concatenated sequence of signatures that we currently provide them, and document
      this, and document that GPG on its own does not do so.
      
        * Implement support in GPG for verifying the concatenated sequence of
      different kinds of signatures, and propose this patch for inclusion in GPG, and
      document which GPG version supports this. See the gnupg-devel email thread "Re:
      checking multiple signatures of different types (or different digests)" on
      2013-01-13 <http://www.gossamer-threads.com/lists/gnupg/devel/60180#60180> where
      David Shaw hints that it has not been done yet because of lack of demand.
      
      See also a discussion on our IRC channel:
      <http://colabti.org/irclogger/irclogger_log/svn-dev?date=2015-08-12#l39>.
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              julianfoad Julian Foad
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: