[RCD] Cryptographic signatures for release tags or tarballs
Guilhem Moulin <guilhem <at> guilhem.org>
2015-10-17 23:23:03 GMT
Your download page lists the SHA256 checksums of the tarballs to let
users verify the integrity of the downloaded file(s). To address a
different threat model and offer integrity verification of cryptographic
quality , please also consider signing your git tags (with ‘git tag
--sign’), and/or provide detached cryptographic signatures for the
future release tarballs.
As far as Debian is concerned a detached OpenPGP signature would be
preferable since our packaging tools can automatically download tarballs
and cryptographically verify their integrity in one go. Assuming you
have an OpenPGP key , an ASCII armored (.asc) detached signature can
be generated with
gpg --armor --detach-sign /path/to/roundcubemail-x.y.z.tar.gz
Completely unrelated, please note that the “1.1.3 — Dependent” tarball
includes moxieplayer.swf, while the last mention of moxieplayer in your
changelog says “TinyMCE security issue: removed moxieplayer (embedding
flv and mp4 is not supported anymore)”. Was it re-added by mistake?
(Anyway that file is violates the DFSG and will be removed from the
upcoming 1.1.3 Debian packages.)
 Fair enough, your checksums are delivered over HTTPS. But an
attacker breaking into your web server could fool us all. On the
other hand cryptographic signatures raise the bar by far (assuming
they are generated on the devs' platform). Furthermore OpenPGP is
independent (and orthogonal) to the X.509 PKI in general, and to the
CA cartel in particular, hence address a different threat model.
 Otherwise there are numerous tutorials available online. The Debian
project has its own on http://keyring.debian.org/creating-key.html .
Roundcube Development discussion mailing list
dev <at> lists.roundcube.net