I added this idea here:
https://git.glasklar.is/sigsum/core/sigsum-go/-/issues/111
You mentioned an archival service, what is that? One idea is to recommend people to get things archived into the Software Heritage:
https://archive.softwareheritage.org/save/
I don't find how to add tarballs though, otherwise maybe sigsum-submit could have an option to confirm that the artifact has been archived by Software Heritage.
/Simon
Simon Josefsson via Sigsum-general sigsum-general@lists.sigsum.org writes:
It is okay if I make a mistake and sign some corrupt tarball: I can explain this situation if I still have the corrupt tarball. But if I run a set of commands to sign some artifact that I accidentally remove, then things are really bad for that key.
To reduce the risk for mistakes, when using your actual release signing key, it makes sense to ensure that the artifact is reliably archived, *before* signing and submitting it to the log. Maybe we can add some features to sigsum-submit to help, e.g., accept both a url and a local file as argument, and ensure that they are identical before signing, or maybe even upload directly with the archival service if we can define the conventions for that.
Yes, I think that this combined functionality would be nice. Since the "no hidden release" property appear to depend so strongly on a workflow that forever only adds signatures for publicly available content, the tools can help to assert that before completing the upload.
I'm thinking something like this:
ssh-add -L > jas.pub sigsum-submit -k jas.pub libidn2-2.3.8.tar.gz sigsum-submit --timeout 30s --diagnostics=debug -p sigsum-policy-20250309.txt --token-signing-key ~/self/sigsum-token-secret-josefsson.org/mykey --token-domain josefsson.org --content-url https://ftp.gnu.org/gnu/libidn/libidn2-2.3.8.tar.gz libidn2-2.3.8.tar.gz.req
The tool should attempt to download the URL and verify that its SHA256 checksum match the 'message' field in the *.req file.
/Simon
Sigsum-general mailing list -- sigsum-general@lists.sigsum.org To unsubscribe send an email to sigsum-general-leave@lists.sigsum.org