[poppler] verify of released packages?
Albert Astals Cid
aacid at kde.org
Mon Aug 20 21:45:14 UTC 2018
El dilluns, 20 d’agost de 2018, a les 21:23:34 CEST, Germán Poo-Caamaño va escriure:
> On Sat, 2018-08-18 at 18:48 +0200, Albert Astals Cid wrote:
> > El dissabte, 18 d’agost de 2018, a les 15:41:38 CEST, Thomas Jarosch
> > va escriure:
> > > Hello Albert,
> > >
> > > is there any way to verify the integrity of poppler source
> > > releases?
> > >
> > > I didn't spot a GPG signature for the tarball
> > > or a simple SHA256 / MD5 checksum.
> > >
> > > If a gpg signature is too much effort, it would already help if
> > > there's
> > > an official sha256sum in the release announcement on the
> > > mailinglist.
> > > (https://lists.freedesktop.org/archives/poppler/2018-July/013275.ht
> > > ml)
> > >
> > > That would help to verify the download server has not been tampered
> > > with.
> >
> > You mean you're afraid somebody hacked on freedesktop git and
> > replaced
> > https://cgit.freedesktop.org/poppler/poppler/tag/?h=poppler-0.67.0
> > to a different commit than the one that I originally tagged?
>
> I think he meant the tarballs, which in Poppler are released without
> any checksum.
Ah, right, i was thinking he meant the git hash and not the hash of the tarball itself :D
I guess i can sign the packages, i'm doing it when releasing KDE Applications so it's not more work.
I'll try to remember for next release.
Cheers,
Albert
>
> It helps to minimize any MITM.
>
>
> Thomas:
>
> You can verify the tarballs by:
> 1. downloading the tarball and calculate the checksum of your
> preference.
> 2. get a copy from git, checkout the release tag, build it, run make
> distcheck to create your own tarball, calculate the checksum, and
> compare it with the value you obtained in 1.
>
> That is what I do when I need to add a reference to poppler's tarball
> in a flatpak.
>
>
More information about the poppler
mailing list