[Bug 645565] Please add digital signatures to tarballs

  sysadmin | Blue Sky | unspecified

--- Comment #1 from Josselin Mouette <joss malsain org> 2011-03-22 20:43:44 UTC ---
(In reply to comment #0)
> We don't have signatures, so I'd like (need) loads of detail:
> 1. What guarantee is expected?
>    e.g. 100% trust it was uploaded by the maintainer vs 'comes from
>    random person who has the ability to upload things @ GNOME'

Authenticating maintainers is the problem of the GNOME sysadmins, it doesn’t
affect users. Using GPG for authentication will give you more traceability, and
a bit more security since people are usually more cautious with their GPG keys
than they are with their SSH ones.

The real issue at hand is protecting users against Man-In-The-Middle attacks,
so this has to be done on the archive side.

> 2. How to handle digital signatures securely?
>    e.g. is there is a breakin, having someone steal the private key
>    would be really bad, as signatures imply trust.
> 3. How to expire, announce new versions, get the initial trust, etc?
> ... basically how is the infrastructure bit handled at Debian/ some
> other distro

On this matter I can explain a bit about the Debian setup.

Signatures for uploads are not the ones that are used for download. However
both of them rely on a large web of trust between developers, each of them
having his own GPG key.
For uploads, there is a keyring (at keyring.debian.org) containing the list of
authorized keys.
For downloads, the files containing the sha256sums for each package (well,
actually these are hashes of files containing hashes of files… inception-style)
are signed with an archive key (one for each Debian version). This one in turn
having an expiration date, and being signed regularly with a master key.

I’m not sure where the archive key is stored. It probably has to be in a
secured directory on the FTP-master server since it is used every day to
re-sign the archive. This server is configured in a paranoid way and only a
dozen of people have shell access to it.
AFAIK, the master key is split between several people using Shamir’s secret

The master key has to be signed by as many people as possible in the web of
trust. This way, anyone having met one of the developers and checked his
fingerprint can check the signature’s authenticity. For other people, I think
the key is available in a public place on a HTTPS site, which is, well, better
than nothing, but only as secure as SSL can be.

I hope this is enlightening. I don’t think you need a system as remotely
complicated as the one of a distribution. Signing the sha256sums files in a
directory each time it is modified should be enough. You can use an archive key
for that, signed by a master key, so that you can revoke the archive key if it
is lost or stolen. Then put the public keys on a HTTPS website, and start
building a web of trust :)

Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]