[Bf-committers] Signed checksum files

Danny McGrath dan at blender.org
Sat Feb 1 21:39:16 CET 2020

Hash: SHA512


The other day in blender.chat while dealing with the DDoS problem,
there was a request from one of the users for a secure method to
verify files off of the mirrors, in the event that our own server goes
down. The topic has also been discussed a few times over the years, as

Since I had a bit of time to look at some things, and to asses the
situation a bit more, I opted not to "properly" tackle the signing in
a long term way yet, but instead have decided to do a one time (and
possibly with updates) signing of a checksum (SHA512) file using my
personal GPG key, and store a copy of it in my personal FTP folder on
the download server, so that it isn't quite official, nor in the
public area, until we decide on some key related details.

A few of the decisions and questions that led to me avoiding tackling
this were:

  * inconsistent naming: some files are .md5, others are .md5sum

  * lack of directory structure: the source/ folder is one big
directory, which prevents a typical convention where you would create
a CHECKSUM.<type> file, with its associated .sign file for each
version of Blender, but release/ is grouped by versions

  * weak md5's still used/(some) lack of sha: Should we continue to
create MD5 checksum files? Should we also create SHA256/512 files?
Should we standardize names across both release/ and source/ folders?

  * old filenames _must_ be preserved: this is a tricky part because
under no circumstance should the filenames ever be changed. Otherwise
you break distributions like FreeBSD ports that pull from a specific
filename. Of course, the solution is to create (and maintain!) HTTP
redirects, or symbolic links, if you are moving the entire structure

  * GPG keys:
    - Should it be a personal key? (hint: no since changing is
problematic for the reasons below)
    - Should we name it similar to distributions?
      eg: "Blender Security Key" <security at blender.org>
    - Should it be distributed on Yubikeys to studios and devs?
    - How should the key be generated?
    - Who should have a backup?
    - Who should be able to access it via a smart card, like a Yubikey?
    - Should the key be official? If so, should it be used for things
like Docker signing etc?
    - What is the procedure to revoke and replace the key? Should a
compromised key trigger a resigning of old files that could break
distributions that may fetch it as part of their file manifest?

  * Non official files should be avoided: Once you put a file in the
public area, it could be risky to just remove/rename/change it, in
case a distribution has started using it somehow in their packaging

Well, you start to get the idea. So rather than having deal with all
of this right now, I opted to solicit feedback, and in the mean time,
provide a copy of the checksum as of today, signed by my personal key,
which I will also use to sign this email.

You can find the files in my personal FTP folder (man, we still have
"ftp" legacy around, eh?):


I left a copy of my GPG fingerprint in my Twitter profile
(@troubledaemon) as well. You can also grab the key via:

  wget https://download.blender.org/ftp/dan/publickey.txt

In order to verify it, import the key:

  gpg --import <filename>

Then download the CHECKSUMS files and run:

  gpg --verify CHECKSUMS.SHA512.asc

Honestly, this GPG stuff is way too nerdy, but there are some very
good benefits to having a signed checksum file. I could maybe even
update and sign it periodically if it is popular enough, but we should
probably consider something a little more official than me using my
personal GPG key. So consider this more of a courtesy after someone
was kinda enough to bring up the topic in blender.chat again!

I leave chain of trust, etc, as an exercise to the user. Anyway, sorry
for the poorly worded email, and have a good weekend! :)


Danny McGrath


More information about the Bf-committers mailing list