1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On Tuesday 23 March 2004 13:21, Kurt Lieber wrote: |
5 |
> On Tue, Mar 23, 2004 at 03:11:47AM -0800 or thereabouts, Robin H. |
6 |
Johnson wrote: |
7 |
> > I wrote up a functional prototype patch Mon, 8 Dec 2003 and mailed |
8 |
> > it to gentoo-core when a discussion on the subject was in progress. |
9 |
> > This is the ONLY code I've seen produced by anybody on the subject |
10 |
> > of GPG signing to date. |
11 |
> |
12 |
> rac also had a proof-of-concept working. However, as I understand it, |
13 |
> the issues preventing this from becoming a reality are not technical |
14 |
> in nature, but more process and policy oriented. Quite frankly, I |
15 |
> think the only issue standing between us and getting this implemented |
16 |
> is having the Portage folks deem this as an important project and |
17 |
> prioritize it accordingly. |
18 |
|
19 |
Ok, the biggest problem is an idea for how the actual checking should |
20 |
function. (Signing is straightforward). |
21 |
|
22 |
I'll take a first shot at describing a key chain idea. Please shoot at it |
23 |
and try to find the holes. But remember it needs to stay workable. First |
24 |
the premises: |
25 |
|
26 |
- - All developers should be able to sign with their own key |
27 |
- - We can register the keys of the developers before allowing them |
28 |
- - We don't necessarilly (want to/can) sign the keys of all the developers |
29 |
- - The system is gentoo-specific so we can implement custom systems. |
30 |
- - A root key should be kept safe. |
31 |
|
32 |
What do I propose: |
33 |
- - one master key whose public key is put on every cd. It should be signed |
34 |
by as many people as possible and also put on a ssl protected website |
35 |
with a real certificate (payed for). |
36 |
- - a signing key. This key is signed by the master key and is rotated on a |
37 |
regular basis (say once a month). The public key is put in the portage |
38 |
tree. |
39 |
- - The signing key is used for signing a list of the fingerprints/public |
40 |
keys of all developers with ebuild commit privileges. |
41 |
- - After an rsync all signatures for packages with changes are checked. |
42 |
This will first check the signing key based on the known master key |
43 |
(which should change as little as possible and be kept very secure). |
44 |
It also verifies that the signing key is not too old. This is important |
45 |
so that compromise of the signing key will be less of a security issue |
46 |
even when it is not possible to get the revokation of the key to all |
47 |
users. |
48 |
Then it will verify that the list of developer keys is valid based on |
49 |
the signing key. |
50 |
Next it will check that the signature file for this package is correct |
51 |
and validates that the key used for signing this signature is in the |
52 |
list of acceptable keys. |
53 |
If the package is found to be invalid we could start with removing the |
54 |
package from the repository. |
55 |
- - As the checking is done post-rsync there is no problem with infrequent |
56 |
rsync-ing. |
57 |
|
58 |
note: |
59 |
*) alternatively there could be a key between the signing key and the |
60 |
master key, this root key could have a one month rotation. Then this |
61 |
root key could be used to have a daily generated signing key. |
62 |
|
63 |
The disadvantage is that the root key and signing key would be |
64 |
passphraseless to allow for automatic signing of either the signing |
65 |
key and the dev key list. (assuming that manually entering keyphrases |
66 |
daily is too much) |
67 |
|
68 |
*) It might be possible to keep the passphrase for the daily signing |
69 |
key in memory (or even the whole secret part, which would mean |
70 |
that changes in developer keys would only be visible with a one |
71 |
day delay (max) or manual regeneration of a signing key) |
72 |
|
73 |
Paul |
74 |
|
75 |
- -- |
76 |
Paul de Vrieze |
77 |
Gentoo Developer |
78 |
Mail: pauldv@g.o |
79 |
Homepage: http://www.devrieze.net |
80 |
-----BEGIN PGP SIGNATURE----- |
81 |
Version: GnuPG v1.2.4 (GNU/Linux) |
82 |
|
83 |
iD8DBQFAYDetbKx5DBjWFdsRArC0AJ989ls+w+RszK7FazB0I8hq9//swQCg2BUA |
84 |
sXkzItayvUSKux+/rfHFx1w= |
85 |
=N+pp |
86 |
-----END PGP SIGNATURE----- |
87 |
|
88 |
-- |
89 |
gentoo-dev@g.o mailing list |