Suggestion: bmap files and bmaptool
dedekind1 at gmail.com
Tue Sep 17 13:38:27 UTC 2013
On Wed, 2013-08-14 at 12:24 +0200, Björn Persson wrote:
> Artem Bityutskiy wrote:
> >On Wed, 2013-08-14 at 11:44 +0200, Till Maas wrote:
> >> On Wed, Aug 14, 2013 at 12:21:23PM +0300, Artem Bityutskiy wrote:
> >> > On Wed, 2013-08-14 at 10:37 +0200, Till Maas wrote:
> >> > > On Wed, Aug 14, 2013 at 09:31:22AM +0300, Artem Bityutskiy wrote:
> >> > >
> >> > > > Other things like reading from remote sites, progress
> >> > > > indicator, protecting your mounted disks, uncompressing
> >> > > > on-the-fly, checking sha1 of the data ond of the bmap file
> >> > > > itself - are goodies, although important ones.
> >> > >
> >> > > Why sha1? If the check is there for security reasons, please use
> >> > > at least sha256.
> >> >
> >> > Should not be difficult to implement if there is demand.
> >> SHA-256 is used to create the signatures of other distributed files:
> >> https://fedoraproject.org/static/checksums/Fedora-19-i386-CHECKSUM
> >> Therefore if bmap is used it should also use at least SHA 256. It is
> >> recommended against using SHA-1 for more than 7 years now:
> >> http://csrc.nist.gov/groups/ST/hash/policy_2006.html
> >Sure, good point, thank you, I'll implement sha-256 support.
> Speaking of security, how is the integrity of the bmap file itself
> verified? A checksum is of no use if you don't know who generated the
> checksum. Fedora's checksum files are OpenPGP signed, as you can see in
> the one that Till linked to. I don't see a cryptographic signature in
> your example file. Are there detached signatures for the bmap files?
> And does Bmaptool verify the signatures?
I've implemented gpg signature verification.
Now the bmap file can be gpg-signed and in this case bmaptool will
verify the signature. Both Fedora-like "clearsign" gpg signatures and
detached signatures are supported.
More information about the devel