[poppler] verify of released packages?
Germán Poo-Caamaño
gpoo at gnome.org
Mon Aug 20 19:23:34 UTC 2018
On Sat, 2018-08-18 at 18:48 +0200, Albert Astals Cid wrote:
> El dissabte, 18 d’agost de 2018, a les 15:41:38 CEST, Thomas Jarosch
> va escriure:
> > Hello Albert,
> >
> > is there any way to verify the integrity of poppler source
> > releases?
> >
> > I didn't spot a GPG signature for the tarball
> > or a simple SHA256 / MD5 checksum.
> >
> > If a gpg signature is too much effort, it would already help if
> > there's
> > an official sha256sum in the release announcement on the
> > mailinglist.
> > (https://lists.freedesktop.org/archives/poppler/2018-July/013275.ht
> > ml)
> >
> > That would help to verify the download server has not been tampered
> > with.
>
> You mean you're afraid somebody hacked on freedesktop git and
> replaced
> https://cgit.freedesktop.org/poppler/poppler/tag/?h=poppler-0.67.0
> to a different commit than the one that I originally tagged?
I think he meant the tarballs, which in Poppler are released without
any checksum.
It helps to minimize any MITM.
Thomas:
You can verify the tarballs by:
1. downloading the tarball and calculate the checksum of your
preference.
2. get a copy from git, checkout the release tag, build it, run make
distcheck to create your own tarball, calculate the checksum, and
compare it with the value you obtained in 1.
That is what I do when I need to add a reference to poppler's tarball
in a flatpak.
--
Germán Poo-Caamaño
http://calcifer.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/poppler/attachments/20180820/95f848d1/attachment.sig>
More information about the poppler
mailing list