Re: [task #4633] GPG-Signed Commits

[Derek Price]

Sylvain Beucler wrote:

>On Mon, Sep 19, 2005 at 04:01:55PM -0400, Derek Price wrote:
>  
>
>>[...] but the most
>>important step is the client verification, I think.  The server
>>authorization already probably depends on SSH keys or somesuch.
>>    
>>
>
>I don't think GPG can be used to authenticate users. 
>

Well, not per-se, as in signed commit-data being acceptable ID
verification, but some sort of additional "sign this very long, random
token and return it" step could be usable in place of pserver's password
auth.  Not that I plan on writing that.  :)

>Malicious people
>could resubmit old commits (with known security issues),
>

Ouch.  I hadn't thought of that.  That's a weakness of signed commits
after a server compromise too, except that injection of old revisions
would hopefully be relatively easy to spot due to old bugs reappearing,
new features disappearing, and maybe file dependencies breaking compilation.

I'm not sure how to deal with it, except to recommend that all
developers revoke their old keys and create new ones after a security
release of any given software.  It does mean that resigning old
revisions will generally be a bad idea.

> or garbage
>(signed mails), for example.
>  
>

This at least would be instantly noticable and the commit revoked.  It
is also unlikely to be capable of enabling security exploit of other
systems.

Regards,

Derek

-- 
Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:derek@ximbiot.com>