[1987] in Kerberos_V5_Development
Re: alternatives for signing krb5 1.0
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Wed Nov 20 17:27:36 1996
Date: Wed, 20 Nov 1996 17:27:11 -0500
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: "Barry Jaspan" <bjaspan@MIT.EDU>, krbdev@MIT.EDU
In-Reply-To: Sam Hartman's message of 20 Nov 1996 15:34:22 -0500,
<tslafscpktt.fsf@tertius.mit.edu>
From: Sam Hartman <hartmans@MIT.EDU>
Date: 20 Nov 1996 15:34:22 -0500
Personally, I think detached signatures from Ted for the
source tar ball are reasonable. However, the question was raised at
the meeting: who signs binary tarballs? The person who makes them, or
Ted?
What I have in mind is that when a person makes a distribution, they
should make a detached, ascii signature (using pgp -sba), signed by the
person who actually makes created the binary tarball.
The detached ascii signature will be included in a info file that looks
something like this:
------------- cut here
Kerberos V5 Binary Distribution
Distribution name: krb5-bin-sol24.tar.gz
Operating System: Solaris 2.4
Compiler: gcc v2.7.2
Configure options: --enable-shared
Generated by: Theodore Ts'o <tytso@mit.edu>
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
iQCVAwUAMpOD2EQVcM1Ga0KJAQGxHgQAlGCc20zPqFHfvL8AeCWuZHPaE0TVCb4I
rzNxTQxAf4Uen9wTyRgJCDIKtrVYqIWFYXURKoprmJvrpTFKrbSWmXj2X3cHd7+w
L+jJyHNwKrJ6EV7nWH2fjYQg6XRDdpV5aQHbW6JDgQn0Om9Dd+xnT4Np64Avr750
chNtSwd7oEY=
=q8Ss
-----END PGP MESSAGE-----
------------- cut here
I will then cleartext sign the info file (pgp -sta) and what we will
release will be be a file "krb5-bin-sol24.info.asc". People who are
paranoid can run pgp on the file to verify my signature, and then run
pgp on the resulting krb5-bin-sol24.info file to verify the PGP
signature on the binary tarball.
Comments?
- Ted
