[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gcmd-usr] signature file available

From: Uwe Scholz
Subject: Re: [gcmd-usr] signature file available
Date: Fri, 20 Oct 2017 15:52:38 +0200

Hi Joe,

sorry for my late response, I have been absent for some time.

Am Fri, 13 Oct 2017 23:12:45 -0500 schrieb Joe:
> On 10/09/2017 12:27 AM, Uwe Scholz wrote:
> > Hi Joe,
> >
> > Thank you for your question. When I upload a new package for 
> > deployment to the Gnome server, a sha256 checksum is generated.
> > This one is always stored in the download folder of
> > Gnome-Commander. See here:
> >
> > https://download.gnome.org/sources/gnome-commander/1.8/
> >
> > Best wishes
> > Uwe
> Thanks.  No, didn't mean a checksum - though checksum is useful to
> rule out download errors, it doesn't verify that the file downloaded
> wasn't tampered with, then placed on the D/L site or a mirror site.
> You may have heard there's a lot of serious maliciousness on the web
> now days?
> If you remember, even Linux Mint's ISO files were hacked (on their
> site) & included malware.  I believe also Ubuntu's site was hacked at
> one point (a while back).
> I meant signature files, as in *.asc files to use gpg to verify the 
> "file signed with developer's signing key" (where the developer signs 
> the gnome-commander-1.8.0.tar.xz), then posts the *.asc signature
> file on the site:  gnome-commander-1.8.0.tar.xz.asc.  You would also 
> (generally) have to upload your public key to  several of the well
> known public key servers, like hkp://keyserver.ubuntu.com:11371 &
> others, for users to download and use in the file verification
> process.
> Many developers now provide signed files & their signing key. Here 
> https://ftp.mozilla.org/pub/firefox/releases/56.0/update/linux-x86_64/en-US/, 
> you see the signed update files, and the *.asc signature files (of
> same name).  Or here 
> https://www.torproject.org/download/download-easy.html.en - under the 
> D/L buttons, if you right click the (small) "sig" link & "save as", 
> you'll see it's an .asc file - same name as the installer file,
> like: tor-browser-linux64-7.0.4_en-US.tar.xz.asc

Thank you for the detailed explanation of all that. Yes, I have heard
about the Equifax hack and even the company I am working with has to
adapt code or update libraries after that hack (we are also using the
Struts java framework).

Coming back to your original question. I made some research in the last
days. It turned out that the Makefile.am of the Gnome Commander
project was configured to generate a .tar.bz2 file for distribution.
This file is uploaded to the Gnome server when I provide a new version.
But several years ago the Gnome team decided to only ship .tar.xz files
from their server. That's why they internally convert the
uploaded .tar.bz2 file into a .tar.xz file.

I tried to convert the locally generated .bz2 archive into a .xz one,
but the size of my own file and the one from the Gnome server differs.
I suspect that the root cause for this is that I am using different
xz-options than they do on the Gnome server (there are different
compression levels one can use).

I did not search further but I asked on the Gnome mailing list and they
said that when I upload a .tar.xz archive right from the beginning they
would use exactly this file for distribution, without any change. Then I
will be able to sign this file also and provide a signature on the Gnome
Commander homepage.

I will do this after the next release and provide a signature.

Best wishes and thank you for asking this question!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]