bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [task #4633] GPG-Signed Commits


From: Jim Hyslop
Subject: Re: [task #4633] GPG-Signed Commits
Date: Wed, 05 Oct 2005 09:28:51 -0400
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

Bernd Jendrissek wrote:
If I may jump into the middle here... if, AFAICT, the purpose is to bind
a signature to a specific commit and no other, and also to the complete
file contents (figuring out $strings$ later), would it not be sufficient
to generate, say,

 ----- BEGIN PGP SIGNED MESSAGE -----
 Comment: blah blah comments are untrusted

 Repository revision: 1.5     /home/cvs/cvsroot/ifsf-sst/foo.c,v
 #include <stdio.h>

 int main()
 {
   printf("hello, world!\n");
   return 0;
 }
 ----- BEGIN PGP SIGNATURE -----
 gobblegobblegobble=
 ----- END PGP SIGNATURE -----
 (or its binary equivalent)

This does complicate things somewhat on the client side. Instead of simply signing the file and creating a detached signature, the client has to sign [header info]+[file].

No, wait, if an attacker has root access to the CVS server, revision
numbers become untrusted.  Really all you're trying to achieve is to
identify the real culprit, so that Eve can't frame Alice.

I don't think it's possible to identify any culprits with 100% certainty, except perhaps with a system that is designed from the ground up with security in mind (CVS is at the opposite end of the security spectrum - it was designed on the assumption that you can trust users not to attack the system).

At this point, I don't think we're entirely clear on what we are trying to achieve. It may be helpful to list the specific attacks we are trying to protect against. Some of the attacks have been discussed in threads on this list, but it would be nice to have it all collated in one place.

I think we're simply focusing on being able to detect, and if possible prevent, tampering with the repository after the commit. That's a lot easier than determining who actually performed the attack.

How about signing the previous signature?

 ----- BEGIN PGP SIGNED MESSAGE -----
 Comment: blah blah comments are untrusted

 Repository revision: 1.5     /home/cvs/cvsroot/ifsf-sst/foo.c,v
 Chained signature:
   ICAgaGVsbG93b3JsZHRoaXNpc3NvbWViYXNlNjRlbmNvZGVkMTdpc3RoZWZpcnN0dHJ1bHly
   YW5kb21udW1iZXJkYXRhZnJvbWFsaWNlc2RldmVsb3BtZW50cGMK
 #include <stdio.h>

 int main()
 {
   printf("hello, world!\n");
   return 0;
 }
 ----- BEGIN PGP SIGNATURE -----
 gobblegobblegobble=
 ----- END PGP SIGNATURE -----
 (again, or its binary equivalent)

And what if the previous signature is invalid, or discovered to be from a compromised key? The chain is broken, and Alice has no leg to stand on. Signing the delta makes each commit atomic, with no dependencies on the validity of previous versions. In effect, Alice says "These are the specific changes I made, and this is the result."

That way Alice's good-faith commit of a backdoor introduced by Eve will
show up Eve's later fudging of the repository to make it look as if Eve
(who has Bob's compromised key) committed good code and Alice added the
evil code.  Okay, you can't necessarily prove that *Eve* did it, but
you'll be able to prove Alice's innocence when you need to.

Are the GPG folk listening in on this convo?  Are there discussions on
sci.crypt or comp.software.config-mgmt that I can follow?

Not that I'm aware of. Is it worth cross-posting this discussion to one of these forums?

--
Jim




reply via email to

[Prev in Thread] Current Thread [Next in Thread]