1 |
On Fri, 2013-11-15 at 16:25 -0500, Rick "Zero_Chaos" Farina wrote: |
2 |
> On 11/15/2013 02:37 PM, Robin H. Johnson wrote: |
3 |
> > On Fri, Nov 15, 2013 at 01:51:32PM -0500, Rick "Zero_Chaos" Farina wrote: |
4 |
> >> On 11/15/2013 01:23 AM, Robin H. Johnson wrote: |
5 |
> >>> You crossed sections, but let's collapse both to: |
6 |
> >>> |
7 |
> >>> Bare minimum requirements: |
8 |
> >>> 3. Key expiry: 6 months min, 3 years max. |
9 |
> >>> Recommendations: |
10 |
> >>> 4.1. Root key: 6 months min, 3 year max; |
11 |
> >>> 4.2. Signing subkey: 3 months min, 1 year max; |
12 |
> >>> 4.3. For both keys, expiry date should always be update at least 1 month before expiry. |
13 |
> >> How are we planning on updating keys on user's systems to verify things? |
14 |
> >> I only ask because 3 months on the signing key means whatever we do |
15 |
> >> needs to happen *securely* every 3 months at most. So like, if we are |
16 |
> >> pushing an ebuild with a keyring then we have to update it every 2 |
17 |
> >> months so keys don't expire and then that would break if the user |
18 |
> >> doesn't update every 3 months... Might be an issue as we try as a whole |
19 |
> >> to keep systems updatable for 1 year. |
20 |
> > So some more details regarding how we plan to deploy keys is probably |
21 |
> > needed here. It was out of scope for the discussion about what keys |
22 |
> > should look like. |
23 |
> > |
24 |
> > There are a few parts to it: |
25 |
> > - gentoo-keys (lead by dolsen) |
26 |
> > This is a mostly infra-level tool that takes the data in LDAP, does |
27 |
> > validation, mixes in the keys from keyserver/homedir, and generates |
28 |
> > keyrings. |
29 |
|
30 |
Not quite right. The gentoo-keys project is a repository with two main |
31 |
components. |
32 |
|
33 |
1) gkeyldap cli and python pkg. This is all the code that needs to run |
34 |
on infra machines to get the data from ldap and generate the dev seed |
35 |
file. It will likely never be installed on a user system (but some noob |
36 |
will likely try). It could be adapted to run on other derivative |
37 |
distro's with some additional code wrapping or patches. Or they could |
38 |
just create their own script to generate the seed files. Please note |
39 |
that seed files can be manually generated and maintained using the gkey |
40 |
app in 2 below. |
41 |
|
42 |
2) gkey cli and python pkg. |
43 |
|
44 |
a) This is the code and library that will be installed on users and |
45 |
infra systems to manage and install the keys to the appropriate keyring |
46 |
or keyrings. It will have code for doing regular maintenance and upkeep |
47 |
of the keyrings. As I see it so far, there will be no need for it to |
48 |
require binary keyrings or ebuilds with version bumps to perform |
49 |
updates. It will be able to download updated seed files just like |
50 |
layman does with the repositories.xml file. keyring updates can be done |
51 |
automatically with a cron job, emerge --sync hook or even make use of |
52 |
it's python API to run the maintenance actions from within the package |
53 |
manager (see b) |
54 |
|
55 |
b) A python library of predefined functions and methods to perform |
56 |
the regular verification and maintenance operations. They will be |
57 |
available from both the cli interface supplied or through use of it's |
58 |
python API. |
59 |
|
60 |
c) a cli interface for performing all the operations it is capable of. |
61 |
|
62 |
d) It leaves open the possibility of getting a gui interface that |
63 |
users can use for maintenance. Hey, I wouldn't code it any other way |
64 |
than to be able to switch out the interface without having to recode the |
65 |
operational routines. |
66 |
|
67 |
|
68 |
Ebuild installed seed files could be done as well for overlay use or |
69 |
other repositories of pkgs whether layman maintained or not. They would |
70 |
be subject to regular tree rules. All that is needed is to install the |
71 |
keyring's seed file to the gkey seedfile directory and call the gkey cli |
72 |
with the correct parameters for it to install the keys it specifies. |
73 |
Something easily done the the pkg_post_intall(). |
74 |
|
75 |
> > - keyring packages: |
76 |
> > Thus far, based on the Debian keyring model, where keyrings of trusted |
77 |
> > keys are installed locally in /usr/share/keyrings/, and the package |
78 |
> > manager (or other tools) looks there for validation. I've got a few |
79 |
> > planned so far: |
80 |
> > $CAT/gentoo-dev-keyring |
81 |
> > $CAT/gentoo-releng-keyring |
82 |
|
83 |
Yes, the code is set up for those 2 primary seed files and keyrings. |
84 |
They are not also needed to be installed via ebuild. The url's will be |
85 |
included in the pkg, They will be downloaded and installed the same as |
86 |
layman's repositories.xml file. It will save having it be version |
87 |
bumped up to several times a day in the case of the dev's seed file. |
88 |
I have yet to add the code in gkeyldap to check if the new seed file has |
89 |
indeed changed or not before changing the existing seed file. The gkey |
90 |
sync operation will send the "if-Modified-since" header like I did for |
91 |
layman-2.0, so only an updated seed file will trigger an update to the |
92 |
keys the seed file is responsible for and installed on the user's |
93 |
system. |
94 |
|
95 |
The dev keyrings are set up to be one keyring per dev. all under one |
96 |
umbrella dev-keyring directory. This was the setup requested by Brian |
97 |
Harring, to be used for the git commit verification hooks. It also |
98 |
provides some cross contamination protection. |
99 |
|
100 |
|
101 |
> > $CAT/gentoo-master-keyring |
102 |
Interesting... Good idea :) |
103 |
|
104 |
I have also started setting up a known_seeds variable to be used |
105 |
similarly to layman's repositories.xml. It could be for keys known to |
106 |
us for non-dev commits to official overlays and such. But have not put |
107 |
much thought into it. At any rate the code will be there to handle it |
108 |
regardless if it comes into being or not. |
109 |
|
110 |
> > To ease the 1-year-updatability requirement, these three packages |
111 |
> > should explicitly be signed by the master key (and not a dev key), |
112 |
> > which has a much longer validity. This would always enable you to |
113 |
> > rsync, install the latest gentoo-dev-keyring, and then install other |
114 |
> > packages thereafter. |
115 |
> I think this is a great idea, BUT, we would need to handle "the latest |
116 |
> gentoo-dev-keyring" like portage updates used to be handled. If there |
117 |
> is an update, warn the user, and if gentoo-dev-keyring is in the update |
118 |
> list it *must* be merged first. Again, these implementation details |
119 |
> don't necessarily have to be in the glep, but we need to make sure as we |
120 |
> go through that we account for such things. My day job is pretty much |
121 |
> running man in the middle on things and laughing at the result, so I'm |
122 |
> super excited to see all this hard work going in. |
123 |
> |
124 |
> > - layman keyrings: |
125 |
> > dolsen is also working on allowing overlays to specify keyrings in the |
126 |
> > repositories.xml; there's a few unanswered questions about how to |
127 |
> > ensure nobody does MITM attacks on those keyrings (either convince the |
128 |
> > overlays admins to change the URL to the keyring, or simply intercept |
129 |
> > requests for the keyring itself). This maps to how Ubuntu's Launchpad |
130 |
> > handles keys for PPAs. |
131 |
> |
132 |
> It is really tough to bootstrap things like this. honestly I would |
133 |
> suggest that this is good enough and overlay maintainers who really care |
134 |
> can post things on their website to help further manual verification. |
135 |
> Not that we should ignore issues here, but I wouldn't spend dozens of |
136 |
> hours trying to figure out how we secure overlays full of non-gentoo |
137 |
> official content. For the official ones we can sign their key with the |
138 |
> master key and that should take care of any trust issues. |
139 |
|
140 |
The fingerprint for the overlay's signed seed file could be added to |
141 |
repositories.xml which is controlled by gentoo devs and signed by the |
142 |
master key. That should take care of our end of it. Of course the user |
143 |
must take responsibility for installing and using the overlay ebuilds in |
144 |
the first place, so we can not offer any guarantees as to the validity |
145 |
of the overlay and the keys it offers unless it is an official overlay. |
146 |
For that use case any non-dev's must supply an equivalent of a dev's gpg |
147 |
signing key, following the same rules as dev's for it. It is those keys |
148 |
which we may have to create a central repo for, since they will not have |
149 |
a dev.g.o account to store them in (if that is the route taken). |
150 |
|
151 |
> > |
152 |
> > TODO: |
153 |
> > We need a way for a given repo, once installed, to specify what keyrings |
154 |
> > to use for validation. I'm thinking of adding it to |
155 |
> > metadata/layout.conf. |
156 |
> > The main gentoo-x86 repo would have for example: |
157 |
> > keyrings = gentoo-master gentoo-releng gentoo-dev |
158 |
> > |
159 |
> > Overlays might have: |
160 |
> > keyrings = gentoo-overlay-mysql |
161 |
> > |
162 |
> Love it. This should probably make it into the glep. |
163 |
> |
164 |
> Thanks, |
165 |
> Zero |
166 |
|
167 |
|
168 |
Sounds good to me. |
169 |
|
170 |
P.S. OH my, this turned out to be along reply :/ |
171 |
But I hope it clears up any questions people may have about it. |
172 |
It is a work in progress... |
173 |
-- |
174 |
Brian Dolbec <dolsen@g.o> |