Whose keys go on elpa/gnupg/pubring.gpg?

Whose keys go on elpa/gnupg/pubring.gpg?

[Kelly Dean]

Just the package repositories' keys (elpa, melpa, marmalade)?

In that case, where do individual package maintainers' keys go?

Or is the package manager only intended to support verification of the repositories' signatures, but not package maintainers' signatures?

If package maintainers' keys are supposed to go on that keyring, then package-refresh-contents gives no assurance that the repository's key signed the archive-contents file; it only assures that some random package maintainer (any whose key is on the keyring) decided to sign the file, perhaps after inserting some of his own goodies. Needless to say, this makes pranks a little too easy.

If the keyring is supposed to contain only keys of people the user trusts to run code, then technically this isn't a vulnerability, but it still isn't the right thing to do. Emacs should record which key is for which repository, and only accept signatures made by the right key.

Re: Whose keys go on elpa/gnupg/pubring.gpg?

[Stefan Monnier]

> In that case, where do individual package maintainers' keys go?

Nowhere: the signatures only certify that this is the file that was
created on elpa.gnu.org.  Adding package maintainer's signatures would
be a very different enterprise, which we haven't attacked (yet?).


        Stefan

Re: Whose keys go on elpa/gnupg/pubring.gpg?

[Kelly Dean]

Stefan Monnier wrote:
>> In that case, where do individual package maintainers' keys go?
>
> Nowhere: the signatures only certify that this is the file that was
> created on elpa.gnu.org.

That's only the case if elpa.gnu.org is the only repository whose key is on the keyring, since package-refresh-contents trusts any repository's key on the keyring to sign any other repository's archive-contents file. Again, technically not a vulnerability, but still not good.

Re: Whose keys go on elpa/gnupg/pubring.gpg?

[Stefan Monnier]

>>> In that case, where do individual package maintainers' keys go?
>> Nowhere: the signatures only certify that this is the file that was
>> created on elpa.gnu.org.
> That's only the case if elpa.gnu.org is the only repository whose key is on
> the keyring, since package-refresh-contents trusts any repository's key on
> the keyring to sign any other repository's archive-contents file. Again,
> technically not a vulnerability, but still not good.

That's right, except for one nitpick: the signatures themselves do
certify that this file was created on elpa.gnu.org.
It's only the package.el signature-checking which doesn't bother to
check that the signature is made with the repository's corresponding key.


        Stefan