Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Checksums in release announcements and website

X-seq: zsh-workers 54664
From: dana <dana@xxxxxxx>
To: Jörg Sommer <joerg@xxxxxxxx>
Cc: zsh-workers@xxxxxxx
Subject: Re: Checksums in release announcements and website
Date: Wed, 03 Jun 2026 22:11:07 +0000
Archived-at: <https://zsh.org/workers/54664>
Feedback-id: i9be146f9:Fastmail
In-reply-to: <ah_RIkQpaL3tcHvW@jo-so.de>
List-id: <zsh-workers.zsh.org>
References: <ah_RIkQpaL3tcHvW@jo-so.de>

On Wed 3 Jun 2026, at 07:07, Jörg Sommer wrote:
> it would be helpful to harden the chain of trust, if the release
> announcement mails and the website https://zsh.sourceforge.io/releases.html
> would contain checksums of the tar.xz.

oliver mentioned in w/54389 that the check sums are meant for integrity
verification, not security. but i'd be ok with this personally

On Wed 3 Jun 2026, at 07:07, Jörg Sommer wrote:
> And because the PGP key exists, would it be possible to sign the
> announcement mail?

i don't have any experience pgp-signing e-mails myself, so not sure how
much friction it would add, but maybe

On Wed 3 Jun 2026, at 07:07, Jörg Sommer wrote:
> BTW: Having the key next to the tar is helpful, but if an attacker can
> change the tar, it can also change the zsh-keyring. Having this file also at
> https://zsh.sourceforge.io/ would be good.

as part of the release process the artefacts are uploaded to these two
locations:

  https://sourceforge.net/projects/zsh/files/
  https://zsh.org/pub/

these are completely independent services, so if you're worried you
could cross-reference them. i guess a compromise of both is possible via
a dev's ssh key/agent though

sf also independently calculates its own check sums (click the little
'info' icon). but it doesn't seem to do sha-256

dana

References:
- Checksums in release announcements and website
  - From: Jörg Sommer

Messages sorted by: Reverse Date, Date, Thread, Author