[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows



Some of you might be aware that the instructions for verifying our
*-CHECKSUM files on Windows have been broken since we moved to SHA256.
Previously, we linked users to a sha1sum.exe built by the GnuPG
project.  With SHA256, we don't have that ability.

Fortunately, the good folks working on MingW have made it possible for
us to build a sha256sum.exe from the coreutils sources.  We can do
this in koji even.  (A huge thanks to Richard Jones for his help and
patches.)

Much of this is discussed at https://bugzilla.redhat.com/527060.

I've created a simple mingw32-sha256sum package, built it in koji and
tested it on the lone Windows XP system I have readily available.  Of
course, I just built this as a scratch build, so it will expire at
some point.

What I'm here for is to gather ideas for how to properly go about
building the mingw32-sha256sum and keeping it around so that when I
extract the sha256sum.exe and upload it to fedoraproject.org we will
have the koji built rpm to compare the binary against.  Otherwise, the
whole process falls back to "Trust that Todd didn't trojan the
executable."  And while I'd be flattered if folks had that much trust
in me, I think it would be unwise to encourage or expect. :)

(I really don't want to maintain the mingw32-sha256sum package for
Fedora, as it's just a quick and dirty hack to built a small subset of
of coreutils for Windows.)

Thoughts?

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Courage is not the absence of fear, but rather the judgment that
something else is more important than fear.
    -- Ambrose Redmoon

Attachment: pgpmxs3rwRcNF.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]