Gentoo Archives: gentoo-dev

From: enno+gentoo@××××××××××××××.de
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Manifest signing
Date: Wed, 02 Nov 2011 12:04:28
In Reply to: [gentoo-dev] Manifest signing by "Anthony G. Basile"

Am 29.09.2011 17:02, schrieb Anthony G. Basile:
> Hi everyone, > > The issue of Manifest signing came up in #gentoo-hardened channel ... > again. Its clearly a security issue and yet many manifests in the tree > are still not signed. Is there any chance that we can agree to reject > unsigned manifests? Possibly a question for the Council to adjudicate?
I followed the threads about manifest signing with interest and even had a look at the manifest signing guide [4]. Sounds nice at first view. But, please correct me, if I'm wrong. I didn't find a place where these signatures are verified. Is manifest signing for the infrastructure team, enabling them to verify the author of a commit (see GLEP57 [1])? Wouldn't this be obsoleted by commit signing if the move to git is done ([2])? If it is (also) for the users, why is there no code for it in portage anymore [3]? Okay "why" is clear. Obviously nobody was maintaining it... I thought about signing the manifests of my overlay. But this is senseless, if there is no automatic check. I can't think of any user verifying manifest signatures by hand. To me it looks like there are repeating complaints about missing signatures, but I don't see any verification methods for existing manifest signatures. At the moment there are 10608 of 15085 manifests signed in my portage tree. But I can't check them, because I don't have the public keys and if I fetch them from a public keyserver, I still don't know, if they really belong to the corresponding Gentoo developers. Is there some kind of Gentoo Keyring I don't know of? How does infrastructure team check, if a GPG key belongs to a developer? The Manifest signing guide [4] simply says "Upload the key to a keyserver". Everbody can upload a key to the public keyservers. An attacker, able to modify a signed Manifest, could simply create a new key on the developers name and use it to sign the modified manifest. Therefore it must be clear which key really belongs to a dev. Furthermore the Tree-Signing-GLEPs [5] seem to be incomplete. This looks like the right place to continue work on Tree Signing. Regards, Enno [1] [2] [3];a=commit;h=4c16649d121dca977b3c569f03c5d1b194b635d4 [4] [5]


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-dev] Manifest signing "Robin H. Johnson" <robbat2@g.o>