From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Allan Webber Subject: Re: Checking signatures on source tarballs Date: Tue, 06 Oct 2015 22:18:15 -0500 Message-ID: <87r3l7s6wy.fsf@dustycloud.org> References: <1443791046-1015-1-git-send-email-alezost@gmail.com> <1443791046-1015-3-git-send-email-alezost@gmail.com> <87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com> <87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com> <87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com> <8737xntorr.fsf_-_@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34456) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZjfFZ-0000h1-Hd for guix-devel@gnu.org; Tue, 06 Oct 2015 23:18:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZjfFU-0007wT-Ix for guix-devel@gnu.org; Tue, 06 Oct 2015 23:18:41 -0400 Received: from dustycloud.org ([50.116.34.160]:34336) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZjfFU-0007wD-EV for guix-devel@gnu.org; Tue, 06 Oct 2015 23:18:36 -0400 In-reply-to: <8737xntorr.fsf_-_@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel@gnu.org, Alex Kost Mark H Weaver writes: > Alex Kost writes: > >> Ludovic Court=C3=A8s (2015-10-05 18:55 +0300) wrote: >> >>> Alex Kost skribis: >>> >>>> Ludovic Court=C3=A8s (2015-10-04 19:57 +0300) wrote: >>>> >>>>> However, if this is =E2=80=9Ctoo convenient=E2=80=9D, I=E2=80=99m a= fraid this would give an >>>>> incentive to not check OpenPGP signatures when they are available. >>>> >>>> Sorry, I have no idea what it means :-( >>> >>> When upstream digitally signs its source code tarballs, packagers sho= uld >>> check those signatures to authenticate the code they have. >>> >>> If the tool makes it too easy to fill out the =E2=80=98sha256=E2=80=99= field without >>> going through the trouble of downloading the =E2=80=98.sig=E2=80=99 f= ile and checking >>> it, then people will have an incentive not to check those signatures. >> >> Oh, now I see what you mean. Well, I don't know, I think if a user ha= s >> a habbit to check a signature, he will check it anyway; and if not, th= en >> not. > > I share Ludovic's concern. It is a serious problem if packagers fail t= o > check signatures. We should not provide mechanisms that encourage such > behavior. It jeopardizes the security of every user of those packages. > > IMO, we should rather be going in the other direction, to formalize and > automate the checking of signatures. IMO, our 'origin' objects should > include a set of fingerprints of acceptable GPG signing keys for that > package, as well as information on how to find the signature (in cases > where it cannot be guessed). > > This would have several beneficial effects: > > * If the packager downloaded a key belonging to a man-in-the-middle > (quite possible given that we rarely have a validated chain of trust > to the developer), then that bad key will be stored in our git repo > for all to see, allowing someone to notice that it's the wrong key. > > * When the package is later updated, it will not be possible for a new > man-in-the-middle attack to be made on us. If a new signing key is > used, we cannot fail to notice it. It will raise a red flag and we > can investigate. > > * It would strongly encourage packagers to do these checks, and make it > obvious to reviewers or users when the packager failed to do so. It > would also make it easy to find unsigned packages, so that we can > encourage upstream to start signing the packages, at least for the > most important ones. > > Also, our linter should download and check the signature, so that it's > easy for others to independently check the verification done by the > original packager. > > What do you think? > > Mark This sounds great to me!