[tex-live] [pretest] Annoucement/Warning - cryptographic signatures

Norbert Preining preining at logic.at
Tue Apr 12 09:20:22 CEST 2016 

Dear all using TL pretest,

today I have committed a big bunch of changes to verify integrity
of downloaded packages by cryptographically signatures.

If the rebuild succeeds tonight (which is unlikely, though ;-)
from tomorrow on there should be hardly any change besides some
additional output like:
	$ tlmgr update --list
	cryptographic signature of http://localhost/tlpretest-norb/tlpkg/texlive.tlpdb.sha512 verified
	tlmgr: package repository http://localhost/tlpretest-norb
	....

In case something breaks badly you can easily disable these checks
using hte new command line option
	--no-verify-downloads

By default *if* a gpg binary is found verification is attempted.

What basically happens is that the tlpdb that is downloaded is checked
against a sha512 checksum, and the sha512 checksum is checked against
a detached gpg signature.

The releases are signed with a GPG key
	0x06BAB6BC TeX Live Distribution <tex-live at tug.org>
with fingerprint
	C78B 82D8 C795 12F7 9CC0  D7C8 0D5E 5D91 06BA B6BC
(actually with a signing subkey for those interested in details)

This key is signed with both Karl Berry's and mine gpg key:
	0x30D155AD Karl Berry <karl at freefriends.org>
	0x860CDC13 Norbert Preining <norbert at preining.info>
All the three keys are readily available on keyservers for those
who want an even higher level ;-) (BTW, this email is also signed
with my key)

Comment for Windows Users:
I don't expect that the current code works out of the box on
Windows, and even more, I don't guess there are many Windows installations
with gpg binaries in the path.
We are discussing ways to distribute statically linked gpg binaries for
Windows TeX Live users without breaking the extremely stupid export
restrictions and requirements imposed by the US and many other countries.


Please let us know (here on the list) of any probelms you encounter. In
case something breaks, it would be great if you can send the output
of the breaking tlmgr call with -v command line added. Thanks.

All the best

Norbert

------------------------------------------------------------------------
PREINING, Norbert                               http://www.preining.info
JAIST, Japan                                 TeX Live & Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0  ACF0 6CAC A448 860C DC13
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: <http://tug.org/pipermail/tex-live/attachments/20160412/4ac1d781/attachment.bin>

More information about the tex-live mailing list