1 |
* Paul de Vrieze (pauldv@g.o) wrote: |
2 |
> - - one master key whose public key is put on every cd. It should be signed |
3 |
> by as many people as possible and also put on a ssl protected website |
4 |
> with a real certificate (payed for). |
5 |
> - - a signing key. This key is signed by the master key and is rotated on a |
6 |
> regular basis (say once a month). The public key is put in the portage |
7 |
> tree. |
8 |
> - - The signing key is used for signing a list of the fingerprints/public |
9 |
> keys of all developers with ebuild commit privileges. |
10 |
> - - After an rsync all signatures for packages with changes are checked. |
11 |
> This will first check the signing key based on the known master key |
12 |
> (which should change as little as possible and be kept very secure). |
13 |
> It also verifies that the signing key is not too old. This is important |
14 |
> so that compromise of the signing key will be less of a security issue |
15 |
> even when it is not possible to get the revokation of the key to all |
16 |
> users. |
17 |
> Then it will verify that the list of developer keys is valid based on |
18 |
> the signing key. |
19 |
> Next it will check that the signature file for this package is correct |
20 |
> and validates that the key used for signing this signature is in the |
21 |
> list of acceptable keys. |
22 |
> If the package is found to be invalid we could start with removing the |
23 |
> package from the repository. |
24 |
> - - As the checking is done post-rsync there is no problem with infrequent |
25 |
> rsync-ing. |
26 |
|
27 |
so a dev key would be revoked by a sync on a file containing a list of dev keys ? |
28 |
what if i compromise a rsync server adn a developers box. This isnt that far fetched a scenario. I get acess to a dev key and i stop a server from updateing the signed key sigs file. |
29 |
|
30 |
this also doesnt begin to solve the rogue developer problem (tho thats not the goal on this i guess) |
31 |
|
32 |
imho every package needs 2 pairs of eyes b4 gettin released. (2 dev sigs + sign key) but theres procedural and time constraints that will probly prevent that from ever happening. |
33 |
|
34 |
|
35 |
> |
36 |
> note: |
37 |
> *) alternatively there could be a key between the signing key and the |
38 |
> master key, this root key could have a one month rotation. Then this |
39 |
> root key could be used to have a daily generated signing key. |
40 |
> |
41 |
> The disadvantage is that the root key and signing key would be |
42 |
> passphraseless to allow for automatic signing of either the signing |
43 |
> key and the dev key list. (assuming that manually entering keyphrases |
44 |
> daily is too much) |
45 |
> |
46 |
> *) It might be possible to keep the passphrase for the daily signing |
47 |
> key in memory (or even the whole secret part, which would mean |
48 |
> that changes in developer keys would only be visible with a one |
49 |
> day delay (max) or manual regeneration of a signing key) |
50 |
> |
51 |
> Paul |
52 |
> |
53 |
> - -- |
54 |
> Paul de Vrieze |
55 |
> Gentoo Developer |
56 |
> Mail: pauldv@g.o |
57 |
> Homepage: http://www.devrieze.net |
58 |
> -----BEGIN PGP SIGNATURE----- |
59 |
> Version: GnuPG v1.2.4 (GNU/Linux) |
60 |
> |
61 |
> iD8DBQFAYDetbKx5DBjWFdsRArC0AJ989ls+w+RszK7FazB0I8hq9//swQCg2BUA |
62 |
> sXkzItayvUSKux+/rfHFx1w= |
63 |
> =N+pp |
64 |
> -----END PGP SIGNATURE----- |
65 |
> |
66 |
> -- |
67 |
> gentoo-dev@g.o mailing list |
68 |
> |
69 |
> |
70 |
|
71 |
-- |
72 |
gentoo-dev@g.o mailing list |