unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Whose keys go on elpa/gnupg/pubring.gpg?
@ 2015-01-08  3:36 Kelly Dean
  2015-01-08  5:01 ` Stefan Monnier
  0 siblings, 1 reply; 4+ messages in thread
From: Kelly Dean @ 2015-01-08  3:36 UTC (permalink / raw)
  To: emacs-devel

Just the package repositories' keys (elpa, melpa, marmalade)?

In that case, where do individual package maintainers' keys go?

Or is the package manager only intended to support verification of the repositories' signatures, but not package maintainers' signatures?

If package maintainers' keys are supposed to go on that keyring, then package-refresh-contents gives no assurance that the repository's key signed the archive-contents file; it only assures that some random package maintainer (any whose key is on the keyring) decided to sign the file, perhaps after inserting some of his own goodies. Needless to say, this makes pranks a little too easy.

If the keyring is supposed to contain only keys of people the user trusts to run code, then technically this isn't a vulnerability, but it still isn't the right thing to do. Emacs should record which key is for which repository, and only accept signatures made by the right key.



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Whose keys go on elpa/gnupg/pubring.gpg?
  2015-01-08  3:36 Whose keys go on elpa/gnupg/pubring.gpg? Kelly Dean
@ 2015-01-08  5:01 ` Stefan Monnier
  2015-01-08  6:40   ` Kelly Dean
  0 siblings, 1 reply; 4+ messages in thread
From: Stefan Monnier @ 2015-01-08  5:01 UTC (permalink / raw)
  To: Kelly Dean; +Cc: emacs-devel

> In that case, where do individual package maintainers' keys go?

Nowhere: the signatures only certify that this is the file that was
created on elpa.gnu.org.  Adding package maintainer's signatures would
be a very different enterprise, which we haven't attacked (yet?).


        Stefan



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Whose keys go on elpa/gnupg/pubring.gpg?
  2015-01-08  5:01 ` Stefan Monnier
@ 2015-01-08  6:40   ` Kelly Dean
  2015-01-08 14:20     ` Stefan Monnier
  0 siblings, 1 reply; 4+ messages in thread
From: Kelly Dean @ 2015-01-08  6:40 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Stefan Monnier wrote:
>> In that case, where do individual package maintainers' keys go?
>
> Nowhere: the signatures only certify that this is the file that was
> created on elpa.gnu.org.

That's only the case if elpa.gnu.org is the only repository whose key is on the keyring, since package-refresh-contents trusts any repository's key on the keyring to sign any other repository's archive-contents file. Again, technically not a vulnerability, but still not good.



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Whose keys go on elpa/gnupg/pubring.gpg?
  2015-01-08  6:40   ` Kelly Dean
@ 2015-01-08 14:20     ` Stefan Monnier
  0 siblings, 0 replies; 4+ messages in thread
From: Stefan Monnier @ 2015-01-08 14:20 UTC (permalink / raw)
  To: Kelly Dean; +Cc: emacs-devel

>>> In that case, where do individual package maintainers' keys go?
>> Nowhere: the signatures only certify that this is the file that was
>> created on elpa.gnu.org.
> That's only the case if elpa.gnu.org is the only repository whose key is on
> the keyring, since package-refresh-contents trusts any repository's key on
> the keyring to sign any other repository's archive-contents file. Again,
> technically not a vulnerability, but still not good.

That's right, except for one nitpick: the signatures themselves do
certify that this file was created on elpa.gnu.org.
It's only the package.el signature-checking which doesn't bother to
check that the signature is made with the repository's corresponding key.


        Stefan



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-01-08 14:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-08  3:36 Whose keys go on elpa/gnupg/pubring.gpg? Kelly Dean
2015-01-08  5:01 ` Stefan Monnier
2015-01-08  6:40   ` Kelly Dean
2015-01-08 14:20     ` Stefan Monnier

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).