Software instructions

Table of contents

Introduction

Here you will find methods to assert the authenticity of the presented software packages.

Extract

The following extract is from a post by Mike Gerwitz:

Git Host

Git hosting providers are probably the most easily overlooked trustees—providers like Gitorious, GitHub, Bitbucket, SourceForge, Google Code, etc. Each provides hosting for your repository and “secures” it by allowing only you, or other authorized users, to push to it, often with the use of SSH keys tied to an account. By using a host as the primary holder of your repository—the repository from which most clone and push to—you are entrusting them with the entirety of your project; you are stating, “Yes, I trust that my source code is safe with you and will not be tampered with”. This is a dangerous assumption. Do you trust that your host properly secures your account information? Furthermore, bugs exist in all but the most trivial pieces of software, so what is to say that there is not a vulnerability just waiting to be exploited in your host’s system, completely compromising your repository?

It was not too long ago (March 4th, 2012) that a public key security vulnerability at GitHub was exploited by a Russian man named Egor Homakov, allowing him to successfully commit to the master branch of the Ruby on Rails framework repository hosted on GitHub. Oops.

Copyright © 2019 Mike Gerwitz. Licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.

Signing keys

You may contact me directly to obtain the public key fingerprint in a different way.

KeyFingerprint
pgp_pubkey_since_2019.txtpgp_pubkey_fingerprint_since_2019.txt

Terminology

Commands are to be run in the project directory.

VariableDescriptionCommand
project_dirthe full path directory of the projectexport project_dir="$(pwd)"
projectthe project nameexport project="$(basename "$(pwd)")"
project_python_modulethe python module name of the project. For example: md-toc is md_tocproject_python_module="$(basename "$(pwd)" | tr '-' '_')"
project_version_release_timestampthe timestamp of a software version (tag) in UTC formatproject_version_release_timestamp="$(python3 -c 'from dateutil import parser as dateutil_parser; from dateutil.tz import UTC; import sys; p = dateutil_parser.parse(sys.argv[1]); u=p.astimezone(UTC); print(u.strftime("%Y-%m-%d %T"))' "$(git tag -l --format='%(taggerdate)' $(git describe --tags $(git rev-list --tags --max-count=1)))")"
tagthe git tag name which is usually semveredexport tag="$(git describe --tags $(git rev-list --tags --max-count=1))"
tag_rawsame as tag but pad each component of the tag with 6 zeros. For example: 12.121.5 becomes 000012.000121.000005-
signing_keythe public key file used to sign the archive file-
has_changelogthe project has a changelog entry for a specific release. Value must be either true or false-
is_on_pypithe project is on PyPI. Value must be either true or false-
changelog_slugified_headerthe slugified header corresponding to a tag in a changelog file-
urla generic url-
pypi_download_pagethe URL of the download page of the package on PyPI-

Methods

Upload (what I have to do)

What follows are the steps I use to upload the software page.

  1. create an archive

    cd /tmp
    git -C ${project_dir} archive --format=tar.gz --output=/tmp/${project}-${tag}.tar.gz --prefix=${project}-${tag}/ ${tag}
    
  2. sign the archive

    gpg --armor --output ${project}-${tag}.tar.gz.sig --detach-sig ${project}-${tag}.tar.gz
    
  3. get the checksums

    sha512sum ${project}-${tag}.tar.gz > ${project}-${tag}.tar.gz.SHA512SUM.txt
    sha256sum ${project}-${tag}.tar.gz > ${project}-${tag}.tar.gz.SHA256SUM.txt
    
  4. if the project is on PyPI

    make dist
    cd dist
    sha256sum ${project_python_module}-${tag}-py3-none-any.whl > ${project_python_module}-${tag}-py3-none-any.whl.SHA256SUM.txt
    md5sum ${project_python_module}-${tag}-py3-none-any.whl > ${project_python_module}-${tag}-py3-none-any.whl.MD5SUM.txt
    
  5. create a new entry in the _pages/software.md file

    - [`${tag}`](/software/${project}-${tag}/release.html)
    
  6. create a new release file called _software/${project}-${tag}/release.md and add the following. If it is not a Python project you must omit the software_name_python_module variable. Add the ### Added, ### Removed, etc… (changelog) contents if applicable.

    ---
    layout: software_release
    enable_markdown: true
    title: release
    excerpt: none
    software_name: ${project}
    software_name_python_module: ${project_python_module}
    software_version: ${tag}
    software_version_raw: ${tag_raw}
    release_timestamp: ${project_version_release_date}
    is_on_pypi: ${is_on_pypi}
    has_changelog: ${has_changelog}
    signing_public_key: ${signing_key}
    ---
    
    ### Added
    
    - a
    - b
    - c
    
    ### Removed
    
    ...
    

Download (what you have to do)

Run the following to download and verify the software.

  1. if the public key is unknown you must import it from a trusted source

    cd /tmp
    wget "${public_key_url}"
    gpg --import "${public_key_file}"
    
  2. download the repository

    cd /tmp
    wget ${url}/${project}-${tag}.tar.gz.sig
    
  3. check the signature

    wget ${url}/${project}-${tag}.tar.gz
    gpg --verify ${project}-${tag}.tar.gz.sig
    
  4. run the checksums

    sha512sum --check ${project}-${tag}.tar.gz.SHA512SUM.txt
    sha256sum --check ${project}-${tag}.tar.gz.SHA256SUM.txt
    
  5. extract

    tar -xvzf ${project}-${tag}.tar.gz
    
  6. if it is a Python project on PyPI

    wget ${pypi_download_page}/${project_python_module}-${tag}-py3-none-any.whl
    sha256sum --check ${project_python_module}-${tag}-py3-none-any.whl.SHA256SUM.txt
    md5sum --check ${project_python_module}-${tag}-py3-none-any.whl.MD5SUM.txt
    

Post a new comment