From: ludo@gnu.org (Ludovic Courtès)
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org, Alex Kost <alezost@gmail.com>
Subject: Re: Checking signatures on source tarballs
Date: Wed, 07 Oct 2015 22:59:14 +0200 [thread overview]
Message-ID: <87bnca2y59.fsf@gnu.org> (raw)
In-Reply-To: <87io6iojmf.fsf@netris.org> (Mark H. Weaver's message of "Wed, 07 Oct 2015 10:09:44 -0400")
Mark H Weaver <mhw@netris.org> skribis:
> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Mark H Weaver <mhw@netris.org> skribis:
>>
>>> IMO, we should rather be going in the other direction, to formalize and
>>> automate the checking of signatures. IMO, our 'origin' objects should
>>> include a set of fingerprints of acceptable GPG signing keys for that
>>> package, as well as information on how to find the signature (in cases
>>> where it cannot be guessed).
>>
>> I thought about it (it used to be in TODO), but this design has several
>> problems. One of them is that a keyring is needed if we are to verify
>> signatures; where do we get it?
>
> We can download the keys from a public keyserver. However, checking
> these signatures would be optional. The sha256 hashes would continue to
> be the authentication method used by default. My goal is to improve
> security by making it easy for others to independently verify the
> signatures, and to keep an institutional knowledge of which keys are
> authorized to sign for which packages.
I agree with the goals. I’m just wondering how this can be achieved in
practice in a way that scales.
I would suggest starting with GNU, because it’s easier. If we manage to
get something that works and scales to all of GNU, then let’s extend it.
>> Most of the time the authentication model is trust-on-first-download:
>> The packager fetches upstream’s public key when they first download a
>> tarball (so this particular phase is subject to MiTM), and subsequent
>> downloads are checked against the key that’s already in the packager’s
>> keyring.
>
> Right, and every time the package is updated, that's another opportunity
> for a MiTM attack.
Not if the package is updated by the same person that retrieved the key
initially (similar to TOFU with SSH.)
>>> This would have several beneficial effects:
>>>
>>> * If the packager downloaded a key belonging to a man-in-the-middle
>>> (quite possible given that we rarely have a validated chain of trust
>>> to the developer), then that bad key will be stored in our git repo
>>> for all to see, allowing someone to notice that it's the wrong key.
>>
>> So you’re suggesting to put the keyring under version control in a way,
>> right?
>
> No, I suggest storing only the key fingerprints.
How do we know which key is authorized for which package?
Even for GNU, we’d have to ask the FSF, and obviously the set of
authorized keys for each package keeps changing. So we’d need the FSF
to provide us with a database/server to answer questions such as “which
public keys could sign for GNU Foo at this date?” in a secure way.
>>> Also, our linter should download and check the signature, so that it's
>>> easy for others to independently check the verification done by the
>>> original packager.
>>
>> ‘guix import gnu’ and ‘guix refresh’ already do that, but only for GNU
>> packages.
>
> The current mechanism is very weak. _Any_ key on your keyring could
> sign the package, and it will be happy with that, thus reducing the
> security of the check to that of the weakest key on your keyring. Also,
> each person who performs the check downloads the key from the keyserver
> independently, typically without any verification that we haven't been
> MiTM'd.
Sure, I agree. But that’s what we have.
When I download a package, the best I can do is to download its .sig and
check it, optionally adding the corresponding public key to my keyring
if it’s missing. And that’s it.
There’s a handful of packages for which I know personally the person who
uploads tarballs and their associated key. For the rest, I just have to
trust the .sig to originate from an “authorized person”.
What you suggest would be perfect but, if I understand it correctly,
it’s far from reality. There’s not a single project I know of that
publishes the list of public keys authorized to sign its tarballs. Even
if they did, we’d need a way to authenticate that list.
Does that make sense? Sounds very tricky to me!
Thanks,
Ludo’.
next prev parent reply other threads:[~2015-10-07 20:59 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-02 13:04 emacs: devel: Add lint/download commands Alex Kost
2015-10-02 13:04 ` [PATCH 1/4] emacs: Add 'guix-devel-with-definition' Alex Kost
2015-10-03 20:31 ` Ludovic Courtès
2015-10-02 13:04 ` [PATCH 2/4] emacs: Add 'guix-devel-download-package-source' Alex Kost
2015-10-03 20:35 ` Ludovic Courtès
2015-10-04 13:39 ` Alex Kost
2015-10-04 16:57 ` Ludovic Courtès
2015-10-04 18:28 ` Alex Kost
2015-10-05 15:55 ` Ludovic Courtès
2015-10-06 15:11 ` Alex Kost
2015-10-07 2:07 ` Checking signatures on source tarballs Mark H Weaver
2015-10-07 3:18 ` Christopher Allan Webber
2015-10-07 8:29 ` Andreas Enge
2015-10-07 12:06 ` Ludovic Courtès
2015-10-07 14:09 ` Mark H Weaver
2015-10-07 18:05 ` Leo Famulari
2015-10-07 20:59 ` Ludovic Courtès [this message]
2015-10-08 11:44 ` Ludovic Courtès
2015-10-12 8:37 ` Brandon Invergo
2015-10-12 9:18 ` [bug-gsrc] " Brandon Invergo
2015-10-12 16:38 ` Ludovic Courtès
2015-10-12 21:26 ` Brandon Invergo
2015-10-12 21:34 ` Ludovic Courtès
2015-10-12 22:06 ` Brandon Invergo
2015-10-13 9:47 ` Ludovic Courtès
2015-10-12 16:39 ` Ludovic Courtès
2016-02-22 4:20 ` Christopher Allan Webber
2015-10-10 7:22 ` Alex Vong
2015-10-10 17:03 ` Mark H Weaver
2015-10-11 17:44 ` Ludovic Courtès
2015-10-14 5:33 ` Rastus Vernon
2015-10-15 13:33 ` Mark H Weaver
2015-10-07 17:45 ` Alex Kost
2015-10-07 12:23 ` [PATCH 2/4] emacs: Add 'guix-devel-download-package-source' Ludovic Courtès
2015-10-07 17:25 ` Alex Kost
2015-10-07 19:15 ` Ian Denhardt
2015-10-09 12:14 ` Alex Kost
2015-10-07 22:10 ` Ludovic Courtès
2015-10-08 11:27 ` Alex Kost
2015-10-08 11:46 ` Ludovic Courtès
2015-10-09 12:08 ` Alex Kost
2015-10-09 12:17 ` Ludovic Courtès
2015-10-09 14:00 ` [PATCH] emacs: Add 'guix-devel-build-package-source' Alex Kost
2015-10-11 18:33 ` Ludovic Courtès
2015-10-08 14:43 ` [PATCH 2/4] emacs: Add 'guix-devel-download-package-source' Christopher Allan Webber
2015-10-08 15:03 ` Ludovic Courtès
2015-10-02 13:04 ` [PATCH 3/4] lint: Export 'run-checkers' Alex Kost
2015-10-03 20:36 ` Ludovic Courtès
2015-10-02 13:04 ` [PATCH 4/4] emacs: Add 'guix-devel-lint-package' Alex Kost
2015-10-03 20:44 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bnca2y59.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=alezost@gmail.com \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).