Gentoo Archives: gentoo-dev

From: enno+gentoo@××××××××××××××.de
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Manifest signing
Date: Wed, 02 Nov 2011 12:04:28
Message-Id: 4EB13189.4000500@groeper-berlin.de
In Reply to: [gentoo-dev] Manifest signing by "Anthony G. Basile"
1 Hello,
2
3 Am 29.09.2011 17:02, schrieb Anthony G. Basile:
4 > Hi everyone,
5 >
6 > The issue of Manifest signing came up in #gentoo-hardened channel ...
7 > again. Its clearly a security issue and yet many manifests in the tree
8 > are still not signed. Is there any chance that we can agree to reject
9 > unsigned manifests? Possibly a question for the Council to adjudicate?
10
11 I followed the threads about manifest signing with interest and even had
12 a look at the manifest signing guide [4]. Sounds nice at first view.
13 But, please correct me, if I'm wrong. I didn't find a place where these
14 signatures are verified.
15 Is manifest signing for the infrastructure team, enabling them to verify
16 the author of a commit (see GLEP57 [1])? Wouldn't this be obsoleted by
17 commit signing if the move to git is done ([2])?
18 If it is (also) for the users, why is there no code for it in portage
19 anymore [3]?
20 Okay "why" is clear. Obviously nobody was maintaining it...
21 I thought about signing the manifests of my overlay. But this is
22 senseless, if there is no automatic check. I can't think of any user
23 verifying manifest signatures by hand.
24 To me it looks like there are repeating complaints about missing
25 signatures, but I don't see any verification methods for existing
26 manifest signatures.
27 At the moment there are 10608 of 15085 manifests signed in my portage
28 tree. But I can't check them, because I don't have the public keys and
29 if I fetch them from a public keyserver, I still don't know, if they
30 really belong to the corresponding Gentoo developers.
31 Is there some kind of Gentoo Keyring I don't know of?
32
33 How does infrastructure team check, if a GPG key belongs to a developer?
34 The Manifest signing guide [4] simply says "Upload the key to a
35 keyserver". Everbody can upload a key to the public keyservers. An
36 attacker, able to modify a signed Manifest, could simply create a new
37 key on the developers name and use it to sign the modified manifest.
38 Therefore it must be clear which key really belongs to a dev.
39
40 Furthermore the Tree-Signing-GLEPs [5] seem to be incomplete.
41 This looks like the right place to continue work on Tree Signing.
42
43 Regards,
44 Enno
45
46 [1] http://www.gentoo.org/proj/en/glep/glep-0057.html
47 [2]
48 http://archives.gentoo.org/gentoo-dev/msg_91813ec042831af2fd688e7ecfae4943.xml
49 [3]
50 http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=4c16649d121dca977b3c569f03c5d1b194b635d4
51 [4] http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6
52 [5]
53 http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/users/robbat2/tree-signing-gleps/

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] Manifest signing "Robin H. Johnson" <robbat2@g.o>