Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Stephen John Smoogen
smooge at gmail.com
Tue Nov 24 16:45:56 UTC 2009
On Tue, Nov 24, 2009 at 9:25 AM, Jesse Keating <jkeating at redhat.com> wrote:
> On Tue, 2009-11-24 at 10:33 -0500, Todd Zullinger wrote:
>> Some of you might be aware that the instructions for verifying our
>> *-CHECKSUM files on Windows have been broken since we moved to SHA256.
>> Previously, we linked users to a sha1sum.exe built by the GnuPG
>> project. With SHA256, we don't have that ability.
>>
>> Fortunately, the good folks working on MingW have made it possible for
>> us to build a sha256sum.exe from the coreutils sources. We can do
>> this in koji even. (A huge thanks to Richard Jones for his help and
>> patches.)
>>
>> Much of this is discussed at https://bugzilla.redhat.com/527060.
>>
>> I've created a simple mingw32-sha256sum package, built it in koji and
>> tested it on the lone Windows XP system I have readily available. Of
>> course, I just built this as a scratch build, so it will expire at
>> some point.
>>
>> What I'm here for is to gather ideas for how to properly go about
>> building the mingw32-sha256sum and keeping it around so that when I
>> extract the sha256sum.exe and upload it to fedoraproject.org we will
>> have the koji built rpm to compare the binary against. Otherwise, the
>> whole process falls back to "Trust that Todd didn't trojan the
>> executable." And while I'd be flattered if folks had that much trust
>> in me, I think it would be unwise to encourage or expect. :)
>>
>> (I really don't want to maintain the mingw32-sha256sum package for
>> Fedora, as it's just a quick and dirty hack to built a small subset of
>> of coreutils for Windows.)
>>
>> Thoughts?
>
> Well, if you have to use a tool from the project, to verify other bits
> from the project, the verification just became a lot less trusted. If
> you don't trust the bits you got from the project, why would you trust
> the tool the project gives you to verify the bits? "Here use this tool
> to verify our bits. Trust us, we swear!"
Well giving people the instructions on how to compile this and getting
a 'neutral' party to make these for the various Linux distributions
would help. Depending on your level of trust, we could ask linux
foundation, fsf or heck even micros.. ok scratch that one. But
basically we can make our own for the time being and give out plain
instructions for people to make them so that they can be replicated.
--
Stephen J Smoogen.
Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning
More information about the infrastructure
mailing list