1 |
Hello, |
2 |
|
3 |
Am 29.09.2011 17:02, schrieb Anthony G. Basile: |
4 |
> Hi everyone, |
5 |
> |
6 |
> The issue of Manifest signing came up in #gentoo-hardened channel ... |
7 |
> again. Its clearly a security issue and yet many manifests in the tree |
8 |
> are still not signed. Is there any chance that we can agree to reject |
9 |
> unsigned manifests? Possibly a question for the Council to adjudicate? |
10 |
|
11 |
I followed the threads about manifest signing with interest and even had |
12 |
a look at the manifest signing guide [4]. Sounds nice at first view. |
13 |
But, please correct me, if I'm wrong. I didn't find a place where these |
14 |
signatures are verified. |
15 |
Is manifest signing for the infrastructure team, enabling them to verify |
16 |
the author of a commit (see GLEP57 [1])? Wouldn't this be obsoleted by |
17 |
commit signing if the move to git is done ([2])? |
18 |
If it is (also) for the users, why is there no code for it in portage |
19 |
anymore [3]? |
20 |
Okay "why" is clear. Obviously nobody was maintaining it... |
21 |
I thought about signing the manifests of my overlay. But this is |
22 |
senseless, if there is no automatic check. I can't think of any user |
23 |
verifying manifest signatures by hand. |
24 |
To me it looks like there are repeating complaints about missing |
25 |
signatures, but I don't see any verification methods for existing |
26 |
manifest signatures. |
27 |
At the moment there are 10608 of 15085 manifests signed in my portage |
28 |
tree. But I can't check them, because I don't have the public keys and |
29 |
if I fetch them from a public keyserver, I still don't know, if they |
30 |
really belong to the corresponding Gentoo developers. |
31 |
Is there some kind of Gentoo Keyring I don't know of? |
32 |
|
33 |
How does infrastructure team check, if a GPG key belongs to a developer? |
34 |
The Manifest signing guide [4] simply says "Upload the key to a |
35 |
keyserver". Everbody can upload a key to the public keyservers. An |
36 |
attacker, able to modify a signed Manifest, could simply create a new |
37 |
key on the developers name and use it to sign the modified manifest. |
38 |
Therefore it must be clear which key really belongs to a dev. |
39 |
|
40 |
Furthermore the Tree-Signing-GLEPs [5] seem to be incomplete. |
41 |
This looks like the right place to continue work on Tree Signing. |
42 |
|
43 |
Regards, |
44 |
Enno |
45 |
|
46 |
[1] http://www.gentoo.org/proj/en/glep/glep-0057.html |
47 |
[2] |
48 |
http://archives.gentoo.org/gentoo-dev/msg_91813ec042831af2fd688e7ecfae4943.xml |
49 |
[3] |
50 |
http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=4c16649d121dca977b3c569f03c5d1b194b635d4 |
51 |
[4] http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6 |
52 |
[5] |
53 |
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/users/robbat2/tree-signing-gleps/ |