in case you're wondering: yes i sent the release mail from laanwj@protonmail.com instead of laanwj@gmail.com this time, PGP key is the same

@pete good point i'll look into installing OTS on the release signing machine
(it's not entirely trivial for…reasons…)

@orionwl Does it really need to be on the release signing machine? OTS proofs are self-verifying after all, so all you need is the ability to upload to the website.

@pete oh right! i was thinking of the git gpg wrapper, but that's not what one'd use here i suppose
what would be your suggested order?

- make SHA256SUMS
- sign it to make SHA256SUMS.asc
- timestamp it to make SHA256SUMS.asc.ots

then ship the .asc and .asc.ots

or something else?

@orionwl Yeah, simply timestamp SHA256SUMS.asc and upload the .ots proof.

I'd advise *against* timestamping the SHA256SUMS files directly, as that gives the wrong impression as to what the main purpose of the timestamp is: validation of the PGP signatures into the future, not validation of the releases themselves.

Follow

@orionwl The PGP signature packet format does *not* include the full digest of what is being signed - just 16 bits of the digest - so there could be a potential issue with verifying the file contents if quantum computing ever becomes a thing. IIRC ECC sigs act like hash functions even with quantum computing, so IIUC they would be verifiable. I don't know about RSA.

tools.ietf.org/html/rfc4880#se

· · Web · 1 · 0 · 1

@orionwl One option of course would be to have a git repo of all the binaries and timestamp the git repo itself. Then publish on the website only the .ots proof for the .asc, extracted with the git-extract command.

@pete that would work, though i don't think a git repository is particularly suitable for storing binaries

in any case: i've uploaded a timestamped .asc here: bitcoincore.org/bin/bitcoin-co

will try to do so from now on for releases

@orionwl I've got literally hundreds of gigabytes of stuff in git repos, using git-annex. Even without git-annex, storing binaries in git repos when the intent is long-term 100% complete archiving is fine. Only downside is normal checkouts take up twice the space.

Looks like the full set of binaries is a couple hundred MB. git can handle that just fine out of the box.

@FreePietje @orionwl @joeyh git-annex is awesome software! I've been using it for years.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!