Gentoo Archives: gentoo-dev

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Manifest signing
Date: Thu, 03 Nov 2011 23:10:25
Message-Id: robbat2-20111103T224253-631507583Z@orbis-terrarum.net
In Reply to: Re: [gentoo-dev] Manifest signing by enno+gentoo@groeper-berlin.de
1 On Thu, Nov 03, 2011 at 10:55:52PM +0100, enno+gentoo@××××××××××××××.de wrote:
2 > >> If it is (also) for the users, why is there no code for it in portage
3 > >> anymore [3]?
4 > > Hmm, I hadn't see that removal, but it makes sense unless the entire
5 > > tree is developer-signed, which isn't likely to happen soon.
6 > I don't agree here. Of course the implementation shouldn't stop the user
7 > from installing an unsigned package at the moment. But it could give a
8 > warning instead and ask the user what to do.
9 > In this way developers are encouraged to sign their packages (to make
10 > the warning go away) and users get the ability to check the signatures,
11 > that already exist.
12 > Key problem here is the Gentoo keyring (how to ensure it didn't get
13 > manipulated).
14 Distributing the keyring itself signed is how Debian does it IIRC.
15
16 > > There's a chicken & egg problem with most signing. You need to
17 > > communicate the valid keys out of band from the actual repo.
18 > > Maybe the layman data is a good place for that, but until such a
19 > > location is figured out, you have zero security gain (if the 'correct'
20 > > keys are only listed in a file in the repo, any attacker just replaces
21 > > that when he puts his other content in).
22 > Of course. But security is always worth thinking about it.
23 > First step: What are the possibilities the check the signatures? FAIL.
24 > In my case some (most?) of the users of my overlay should know my GPG
25 > key already. The web of trust works here. The drawback for possible
26 > other users would be a false sense of security.
27 That's why I say the gpg key should be in the layman data.
28 Overlays team, do you think this is reasonable?
29
30 > > There was a prototype keyserver at one point as well, and I can generate
31 > > new keyrings if needed based on the LDAP data.
32 > This could be okay for a first creation. Later I would prefer something
33 > like Debian does:
34 > http://keyring.debian.org/replacing_keys.html
35 > That way you would decouple the LDAP and the keyring and trust only the
36 > data, that is already in the keyring (somebody whose key is already in
37 > the keyring signing the request for a new key).
38 > See also: http://keyring.debian.org/
39 > Perhaps the prototype keyserver already did something like that.
40 The Debian model was discussed, and the main problem was finding enough
41 people to sign the keys near all of the devs, esp. if you require
42 meeting in person.
43
44 You need two factors to be able to change your GPG key on file anyway.
45
46 --
47 Robin Hugh Johnson
48 Gentoo Linux: Developer, Trustee & Infrastructure Lead
49 E-Mail : robbat2@g.o
50 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85