Sipos
Tux's lil' helper
Joined: 10 Sep 2004
Posts: 122
Location: London
|
 Posted: Wed Feb 19, 2025 9:39 am Post subject: verify-sig and distfile verification |
 |
|
Hi, I am installing a system for the first time using the Gentoo binhost. As such, it matters a little more if I enable unnecessary USE flags, and this has led me to a question about what verify-sig does and how upstream distributed files are verified normally.
I guess that, without verify-sig enabled, upstream source archives or other files have their hash stored in an ebuild by the maintainer, presumably after they have downloaded them securely, for example over HTTPS from the upstream project or by verifying a signature on them if available. That hash is then checked by emerge when building the package on the system installing it. Is this roughly correct?
With verify-sig I guess that, in addition to the above, a public key is downloaded and the upstream file signature is verified on the system it is build/installed on. Is that also correct?
How are the public keys distributed? I guess the same was as the source archives and other upstream files?
Am I right in saying that it isn't really necessary for users to enable verify-sig, assuming they trust package maintainers not to accidentally include a malicious copy of a file or act maliciously themselves? If so, am I right in saying that really the only benefit for a user enabling verify-sig is to make it easier to trace how files are verified?
In the past I'd have blindly enabled it unless it caused me any issues, but if I want to use binhost packages, obviously that isn't an option (and I am not going to be actually verifying the affected signatures on my machine anyway, since I am using packages where this was or was not done when the package was built, and I am just verifying the signature of that through a different mechanism).
Thanks in advance for any answers. |
|
Networking & Security
