Cherrytree: GPG signatures for source validation

Created on 16 Dec 2020  路  20Comments  路  Source: giuspen/cherrytree

Hey Giuseppe,
I am NicoHood, maintainer of some ArchLinux packages. My roommate @Gituser789 is using your software for years now and super happy about that. He asked me to add cherrytree to the official ArchLinux repositories. I am happy to do that, if the sources are PGP signed. Here is a short description why:

As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of GNU/Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code. With GPG signatures it is possible for packagers to verify source code releases quickly and easily.

In order to securely package your software I am kindly requesting GPG signatures for the source tarballs. If you are not yet familiar with secure source code signing I recommend using GPGit which automates the process of secure source code signing and also has a quick start guide on GPG for learning how to use it manually.

If you have any questions, please let me know :-)

Most helpful comment

spdlog will no longer be bundled in the sources from next version 0.99.28

All 20 comments

Hi Nico that's fine I'll try and gpg sign from the next release 0.99.26

Nice!

Would you mind having a look at the current AUR PKGBUILD? I'd adapt this one, but I got a few questions:

  • Can you please have a look at the used build flags, if those are correct?
  • What about the uchardet dependency? This is not listed in the readme, I guess that could be fixed? Or is it obsolete now?
  • I am curios: Why is this package half c++ and half python?
  • If you have any important change in the build process in the future it would be nice if you could email me or reply to this topic :-)
  • Uchardet is correct, I have to update the readme
  • python-lxml is no longer a build dependency (but python3 is necessary to build only)
  • -DBUILD_TESTING:BOOL=OFF you need to build/run the unit tests on a headless server without xvfb
  • the project used to be Pygtk2 now Gtkmm3

Thanks a lot!

I tried to enable the unit tests (very useful), however I get the error:

CMake Error at tests/CMakeLists.txt:4 (add_subdirectory):
  The source directory

    /build/cherrytree/src/cherrytree-0.99.25/tests/googletest

  does not contain a CMakeLists.txt file.

I guess I need to download some additional files, do you have any hint? The built is run in a chroot, so it should be considered "headless"

If you download the .tar.xz from giuspen.com there are the googletest source files but if you download a tag from GitHub you won't find it because it's a git submodule

0.99.26 will be GPG signed, so closing this now

Thanks for adding signatures!

The information on the download page is a bit confusing and the signature should be rather a detached signature:

gpg2 --digest-algo SHA512 --armor --detach-sign cherrytree.tar.xz

# And verify with:
gpg2 --verify cherrytree.tar.xz.asc

That is the common usage, also supported by the packaging tools

The key does not expire, is that correct?

I'm no expert with the gpg signing, I've been trying to reuse the key I have setup for launchpad / giuspen ppa but I'm not sure I made it right, let me try again with your suggestions

Sure no problem. I am happy to help. GPG is super annoying, but its the only tool we have to secure sources like that...

Also, you could enable git commit signing:
https://github.com/NicoHood/gpgit#32-enable-commit-signing

Maybe gpgit is worth a look, as it explains a secure and basic gpg setup in short, but also gives you the tool to automate the whole thing. (Spoiler: I've also written that to help maintainers like you)

Thanks Nico, I updated the script and the download page, with the link to the .asc file.
I will have a look to your tool but I quite like to have control of the commands, I didn't know about the detached signature and I'm glad I now know :)

By the way, where can I find the GPG public key to verify the signature?

Found it, thanks!

I've noticed that there are some external libraries in https://github.com/giuspen/cherrytree/tree/master/src

Two of them I've found in the arch repos:
https://archlinux.org/packages/community/x86_64/spdlog/
https://archlinux.org/packages/extra/x86_64/p7zip/

Is it possible to also link them as a shared library? You are more familiar with the build process :-)

Edit: The GPG signatures now work fine! Also many thanks to morgenstern from the AUR for helping me out with the unit tests!

@NicoHood I've tried building with the shared library of spdlog 1.5.0, but the build failed. Most likely due to incompatible version.

p7zip is strongly customised, about spdlog it was not me to add it so I don't know yet if it's easy to use an external version nor the reason to bundle it, I'll have a look

Is there a specific reason why using -O3? I am asking because of:

Using -O3 does not guarantee that the software will perform better, and sometimes it can even slow down the program. It can also break software in some situations. There is a good reason why the Arch Linux developers choose -O2 as the target optimization level and we should stick with it. Unless you know exactly what you're doing, or if upstream explicitly tells or implies that -O3 is needed, we should avoid using it in our packages.

https://wiki.archlinux.org/index.php/CMake_package_guidelines#Notes_about_-O3

-O2 is OK for me.

spdlog will no longer be bundled in the sources from next version 0.99.28

-O3 also breaks builds on Debian unstable, but -O2 is fine.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

kharaktur picture kharaktur  路  9Comments

ghost picture ghost  路  3Comments

afonsomatos picture afonsomatos  路  3Comments

philogit picture philogit  路  8Comments

casainho picture casainho  路  7Comments