From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: Packaging packages with GPG signed source archives Date: Wed, 31 Aug 2016 13:22:04 -0400 Message-ID: <20160831172204.GB28096@jasmine> References: <87oa49crz1.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35986) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bf9DT-0004kX-9h for help-guix@gnu.org; Wed, 31 Aug 2016 13:22:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bf9DQ-0003kt-2Y for help-guix@gnu.org; Wed, 31 Aug 2016 13:22:23 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:41174) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bf9DM-0003kH-Rr for help-guix@gnu.org; Wed, 31 Aug 2016 13:22:19 -0400 Content-Disposition: inline In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Arun Isaac Cc: Alex Kost , help-guix --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 31, 2016 at 01:17:57PM +0530, Arun Isaac wrote: Alex Kost wrote: > > I think the procedure is: a packager verifies the source and that's it. > > Since a package has a hash of the source, we can be sure that the source > > wasn't changed since it was packaged, so if we find that a package has > > a compromised source, we can blame the packager. >=20 > Ah, that sounds good enough. Still, for the sake of completion, it would > be nice for Guix to have support for verifying GPG signed source > archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified > GPG signatures before building. There was a discussion about verifying signatures of GNU packages using a GNU keyring, but it didn't end up happening. This would have enabled a more trustworthy automatic update system for the GNU packages. It should be in the guix-devel mailing list archive. In my opinion, a limitation of verifying signatures automatically is that the web of trust requires us (humans) to make sure the key corresponds to the person or group that we intend to trust. GnuPG will automatically download a missing key when verifying a signature, but it's up to us to decide if the key is worth trusting. As Alex said, Guix packagers verify signatures and then put tarball hashes into package definitions. So, I bet that Guix users don't often verify the signatures themselves; instead they choose to trust the packagers, which is one reason we started signing all our Git commits. Does Parabola have some sort of keyring that all the upstream keys go into? Or did I misinterpret your suggestion? I'm not familiar with the Parabola package management system. By the way, we still have some work to do on a related topic: https://bugs.gnu.org/22883 --DocE+STaALJfprDB Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXxxI4AAoJECZG+jC6yn8I6y8QANTodWtwHHSISZzw64kW6xh2 rjQeNjmjFWEVd/Eh5aWGVISpDuq5za4U8PBfQISgDJdb1n7Ae4pgvujqvx5y3m7h srLqVgtORhzUGTIeA5UpM2zw0Gnp6i58uIqvMDpP60etOFHcBc705B1ax5OAaUcB B+mMh9w0/13xzu6wB+4n+Dmgvb+0pekX61tKYrX0vWmPfHL9yM3HkjhLOWPRJIaS 8hWTpIk7MeTlSKPKwKGYrmHXl87hzqAPARWNdNyWM2hJheWiB1q1H3/3kNduSCLE /rcM1X1EclzRo1a2JtnZ7osYvSsQ6MOOlVidMi4/1NZ4UMBLl2l+8Wsa/A0tNIpC xoKkhHyQ5vnA3z7cFYwOQeH45f0TmeFVAOmi0g8THNWMB8HKy1Bvd4YWQpi6T+hI 3jDtnLIFUHaa4V3lRtXx3+DT4ho6eY6w1Y3Z8rAP7yoNLNgmTrQAgfJBrLjbrEGu FLmjVU+y/CDNc8x50V3jRIAGOkON0io2PDrKt8qTkedyppyeBtNmcMPv1OpSHYUU HSJVgMTVVqe+soGkkYI1p/Ai4fkEpbdM6NLJ8Ma+cG/Bw0m8R7v6cinSsotisa+A mKJFedD2NAzkf9qTEbuJuloWsOgt+mJHPggmw6lmZOF/CMZOkr9Ap9lG1r+8fRly IklFZ0gB7oI5oNHgPfuA =P+YT -----END PGP SIGNATURE----- --DocE+STaALJfprDB--