[RCD] Cryptographic signatures for release tags or tarballs

Guilhem Moulin guilhem at guilhem.org
Sun Oct 18 01:23:03 CEST 2015

Hi there,

Your download page lists the SHA256 checksums of the tarballs to let
users verify the integrity of the downloaded file(s).  To address a
different threat model and offer integrity verification of cryptographic
quality [0], please also consider signing your git tags (with ‘git tag
--sign’), and/or provide detached cryptographic signatures for the
future release tarballs.

As far as Debian is concerned a detached OpenPGP signature would be
preferable since our packaging tools can automatically download tarballs
and cryptographically verify their integrity in one go.  Assuming you
have an OpenPGP key [1], an ASCII armored (.asc) detached signature can
be generated with

    gpg --armor --detach-sign /path/to/roundcubemail-x.y.z.tar.gz

Completely unrelated, please note that the “1.1.3 — Dependent” tarball
includes moxieplayer.swf, while the last mention of moxieplayer in your
changelog says “TinyMCE security issue: removed moxieplayer (embedding
flv and mp4 is not supported anymore)”.  Was it re-added by mistake?
(Anyway that file is violates the DFSG and will be removed from the
upcoming 1.1.3 Debian packages.)


[0] Fair enough, your checksums are delivered over HTTPS.  But an
    attacker breaking into your web server could fool us all.  On the
    other hand cryptographic signatures raise the bar by far (assuming
    they are generated on the devs' platform).  Furthermore OpenPGP is
    independent (and orthogonal) to the X.509 PKI in general, and to the
    CA cartel in particular, hence address a different threat model.

[1] Otherwise there are numerous tutorials available online.  The Debian
    project has its own on http://keyring.debian.org/creating-key.html .
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20151018/68b0b1ed/attachment.sig>

More information about the dev mailing list