Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-4587

Verifying multiple OpenPGP signatures on a release

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments


    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: trunk
    • Fix Version/s: ---
    • Component/s: docs_www
    • Labels:


      When we release Subversion source code we provide a concatenation of OpenPGP
      signatures from multiple developers in a single "$FILE.asc" file corresponding
      to each package, where $FILE is for example "subversion-1.9.0.tar.gz".
      It says in our instructions at
      that "gpg --verify $FILE.asc" can be used to verify the signatures, but that
      works only when all the signatures are of the same kind. Often, some are of
      different kinds, and then GPG only verifies the first one, saying "WARNING:
      multiple signatures detected.  Only the first will be checked."
      Some options for improving the situation include:
        * Combine all our signatures into a single OpenPGP SIGNATURE block, as
      described at the end of
      <https://lists.gnupg.org/pipermail/gnupg-users/2013-July/047118.html>. Then a
      simple "gpg --verify $FILE.asc" will verify all the sigs in that block. (This
      solution won't fix the issue for people downloading previous releases unless we
      retrospectively update the .asc files for those.)
        * Write a script and/or find a commonly available program that will verify the
      concatenated sequence of signatures that we currently provide them, and document
      this, and document that GPG on its own does not do so.
        * Implement support in GPG for verifying the concatenated sequence of
      different kinds of signatures, and propose this patch for inclusion in GPG, and
      document which GPG version supports this. See the gnupg-devel email thread "Re:
      checking multiple signatures of different types (or different digests)" on
      2013-01-13 <http://www.gossamer-threads.com/lists/gnupg/devel/60180#60180> where
      David Shaw hints that it has not been done yet because of lack of demand.
      See also a discussion on our IRC channel:




            • Assignee:
              julianfoad Julian Foad


              • Created:

                Issue deployment