guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Checking signatures on source tarballs


From: Mark H Weaver
Subject: Checking signatures on source tarballs
Date: Tue, 06 Oct 2015 22:07:20 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Alex Kost <address@hidden> writes:

> Ludovic Courtès (2015-10-05 18:55 +0300) wrote:
>
>> Alex Kost <address@hidden> skribis:
>>
>>> Ludovic Courtès (2015-10-04 19:57 +0300) wrote:
>>>
>>>> However, if this is “too convenient”, I’m afraid this would give an
>>>> incentive to not check OpenPGP signatures when they are available.
>>>
>>> Sorry, I have no idea what it means :-(
>>
>> When upstream digitally signs its source code tarballs, packagers should
>> check those signatures to authenticate the code they have.
>>
>> If the tool makes it too easy to fill out the ‘sha256’ field without
>> going through the trouble of downloading the ‘.sig’ file and checking
>> it, then people will have an incentive not to check those signatures.
>
> Oh, now I see what you mean.  Well, I don't know, I think if a user has
> a habbit to check a signature, he will check it anyway; and if not, then
> not.

I share Ludovic's concern.  It is a serious problem if packagers fail to
check signatures.  We should not provide mechanisms that encourage such
behavior.  It jeopardizes the security of every user of those packages.

IMO, we should rather be going in the other direction, to formalize and
automate the checking of signatures.  IMO, our 'origin' objects should
include a set of fingerprints of acceptable GPG signing keys for that
package, as well as information on how to find the signature (in cases
where it cannot be guessed).

This would have several beneficial effects:

* If the packager downloaded a key belonging to a man-in-the-middle
  (quite possible given that we rarely have a validated chain of trust
  to the developer), then that bad key will be stored in our git repo
  for all to see, allowing someone to notice that it's the wrong key.

* When the package is later updated, it will not be possible for a new
  man-in-the-middle attack to be made on us.  If a new signing key is
  used, we cannot fail to notice it.  It will raise a red flag and we
  can investigate.

* It would strongly encourage packagers to do these checks, and make it
  obvious to reviewers or users when the packager failed to do so.  It
  would also make it easy to find unsigned packages, so that we can
  encourage upstream to start signing the packages, at least for the
  most important ones.

Also, our linter should download and check the signature, so that it's
easy for others to independently check the verification done by the
original packager.

What do you think?

      Mark



reply via email to

[Prev in Thread] Current Thread [Next in Thread]