All,
I just announced GNU InetUtils with Sigsum signatures:
https://lists.gnu.org/archive/html/bug-inetutils/2025-02/msg00002.html
Below are the Sigsum-related commands I ran to Sigsum-sign the release including verification.
Does anyone have suggestions on how to improve the announcement text and/or commands used to sign things?
I'd like to establish a "best practice" on how to Sigsum-protect software source code releases, for other maintainers to follow.
It uses a 8/15 GoogleTrustFabric witness quorum in the trust policy file, not mentioned in the release notes since this information doesn't seem widely published yet.
I don't like storing the rate-limiting domain token private key on disk. I noticed it is recommended to use a separate key for this, but what are the risks if people would start to use their software signing key instead? Aren't the signatures domain separated? Key management is a hassle, so reducing the number of private keys people have to manage the lifecycle for leads to a overall security improvement. I would also prefer to use my hardware-bound OpenPGP signing subkey (instead of my hardware-bound OpenPGP authentication subkey), but I haven't been able to figure out the SSH agent tooling for this.
/Simon
ssh-add -L > jas.pub sigsum-submit -k jas.pub inetutils-2.6.tar.gz sigsum-submit -k jas.pub inetutils-2.6.tar.xz sigsum-submit -k jas.pub inetutils-v2.6-src.tar.gz
cp ../www-inetutils/sigsum-policy.txt .
sigsum-submit --timeout 30s --diagnostics=debug -p sigsum-policy.txt --token-signing-key ~/self/sigsum-token-secret-josefsson.org/mykey --token-domain josefsson.org inetutils-2.6.tar.gz.req sigsum-submit --timeout 30s --diagnostics=debug -p sigsum-policy.txt --token-signing-key ~/self/sigsum-token-secret-josefsson.org/mykey --token-domain josefsson.org inetutils-2.6.tar.xz.req sigsum-submit --timeout 30s --diagnostics=debug -p sigsum-policy.txt --token-signing-key ~/self/sigsum-token-secret-josefsson.org/mykey --token-domain josefsson.org inetutils-v2.6-src.tar.gz.req
sigsum-verify -k jas.pub -p sigsum-policy.txt inetutils-2.6.tar.gz.proof < inetutils-2.6.tar.gz sigsum-verify -k jas.pub -p sigsum-policy.txt inetutils-2.6.tar.xz.proof < inetutils-2.6.tar.xz sigsum-verify -k jas.pub -p sigsum-policy.txt inetutils-v2.6-src.tar.gz.proof < inetutils-v2.6-src.tar.gz
sha256sum inetutils-2.6.tar.gz | cut -d' ' -f1 | base16 -d | sha256sum sha256sum inetutils-2.6.tar.xz | cut -d' ' -f1 | base16 -d | sha256sum sha256sum inetutils-v2.6-src.tar.gz | cut -d' ' -f1 | base16 -d | sha256sum
sigsum-monitor --interval 5s -p sigsum-policy.txt jas.pub
build-aux/gnupload --to ftp.gnu.org:inetutils inetutils-2.6.tar.gz.proof inetutils-2.6.tar.xz.proof inetutils-v2.6-src.tar.gz.proof
Simon Josefsson via Sigsum-general sigsum-general@lists.sigsum.org writes:
Hi
Here is a software announcement with pointers to Sigsum proofs
https://lists.gnu.org/archive/html/help-libtasn1/2025-02/msg00000.html
The artifact can be reproduce by GitLab pipeline or offline by following the same recipe as in .gitlab-ci.yml ('R-guix' job) on the git tag.
Ideas for improvements?
Are you able to build a "libtasn1 release monitor" out of this information?
/Simon
Sigsum-general mailing list -- sigsum-general@lists.sigsum.org To unsubscribe send an email to sigsum-general-leave@lists.sigsum.org