New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update verifying_builds.md #99

Open
wants to merge 1 commit into
base: master
from

Conversation

3 participants
@bartero

bartero commented Aug 25, 2018

I have just learned, that the Lineage team has changed the way they sign the public builds.

I got to know why the keytool keep telling me: Not a signed jar file from this post.

Please update your wiki page! :-)

Update verifying_builds.md
I have just learned, that the Lineage team has changed the way they sign the public builds.

I got to know why the **keytool** keep telling me: `Not a signed jar file` from this [post](https://forum.fairphone.com/t/official-lineageos-15-1-builds-not-signed/42173).

Please update your wiki page! :-)
@brad2014

This comment has been minimized.

Show comment
Hide comment
@brad2014

brad2014 Aug 26, 2018

Also: the update_verifier uses an embedded public key, but I don't see any way to get a fingerprint of that key that is posted to a public site (as was done with the old method at https://wiki.lineageos.org/verifying-builds.html).

What is the advantage of the new approach? Using the signed jar file inspired a lot of confidence because it is such a well-known method, and easy to test using a tool (keytool) from outside the site of the code we're validating.

brad2014 commented Aug 26, 2018

Also: the update_verifier uses an embedded public key, but I don't see any way to get a fingerprint of that key that is posted to a public site (as was done with the old method at https://wiki.lineageos.org/verifying-builds.html).

What is the advantage of the new approach? Using the signed jar file inspired a lot of confidence because it is such a well-known method, and easy to test using a tool (keytool) from outside the site of the code we're validating.

@htgoebel

This comment has been minimized.

Show comment
Hide comment
@htgoebel

htgoebel Aug 30, 2018

I suggest dropping the old instructions completely. There is no use in carrying sold stuff. The new way seems to work for old archives, too. (t least for the archive I've tested.)

Anyway the new instructions have several issues:
a) the pip install command as shown tries to install system-wide, thus it needs to be run as root (or --user needs to be passed
b) this will pollute the system's respective the user's environment, which might not be desired
c) on Windows pip might not be on the path (see this talk)

Preferable and recommended way is to use a virtual environment:

git clone https://github.com/LineageOS/update_verifier
cd update_verifier
python3 -m venv .
bin/pip install -r requirements.txt
bin/python update_verifier.py lineageos_pubkey /path/to/zip

htgoebel commented Aug 30, 2018

I suggest dropping the old instructions completely. There is no use in carrying sold stuff. The new way seems to work for old archives, too. (t least for the archive I've tested.)

Anyway the new instructions have several issues:
a) the pip install command as shown tries to install system-wide, thus it needs to be run as root (or --user needs to be passed
b) this will pollute the system's respective the user's environment, which might not be desired
c) on Windows pip might not be on the path (see this talk)

Preferable and recommended way is to use a virtual environment:

git clone https://github.com/LineageOS/update_verifier
cd update_verifier
python3 -m venv .
bin/pip install -r requirements.txt
bin/python update_verifier.py lineageos_pubkey /path/to/zip
@htgoebel

This comment has been minimized.

Show comment
Hide comment
@htgoebel

htgoebel Aug 30, 2018

@brad2014 I described the way to re-establish the chain of trust after the way to verify public builds has changed here: https://www.goebel-consult.de/blog/really-verifying-lineageos-build-authenticity

htgoebel commented Aug 30, 2018

@brad2014 I described the way to re-establish the chain of trust after the way to verify public builds has changed here: https://www.goebel-consult.de/blog/really-verifying-lineageos-build-authenticity

@bartero

This comment has been minimized.

Show comment
Hide comment
@bartero

bartero Aug 31, 2018

@htgoebel Thank you for your effort!
I will look at it later today

bartero commented Aug 31, 2018

@htgoebel Thank you for your effort!
I will look at it later today

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment