Date: Tue, 30 Dec 2003 17:13:05 +0300 From: Sergei Kolobov <sergei@FreeBSD.org> To: Jose Nazario <jose@monkey.org> Cc: freebsd-ports@FreeBSD.org Subject: Re: RFC: automatically verify GnuPG signatures Message-ID: <20031230141305.GB722@chetwood.ru> In-Reply-To: <Pine.BSO.4.58.0312300830150.1098@naughty.monkey.org> References: <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <Pine.BSO.4.58.0312281644350.15545@naughty.monkey.org> <20031229000800.GF7186@pm1.ric-22.lft.widomaker.com> <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <Pine.BSO.4.58.0312281644350.15545@naughty.monkey.org> <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <20031229063439.GA794@chetwood.ru> <Pine.BSO.4.58.0312300830150.1098@naughty.monkey.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--mojUlQ0s9EVzWg2t
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Jose,
On 2003-12-30 at 08:34 -0500, Jose Nazario wrote:
> i'm still against this. here's a scenario that is all too common:
>=20
> you download package foo-1.2 for building with the ports tree, it has a
> sig. you dont have the key, so you import it. do you trust it? you're the
> discriminating sort, so you look at the signatures and you see that Jose
> Nazario signed it. hey, you know him, oh, he has a key. so you say "ok".
>=20
> without tying that key back to the large, strong set of signed keys, you
> don't know for sure. about 1/3 of the packages i sampled last year don't
> map back to the strong set, so you can't do realistic key lookups.=20
I don't think I follow your logic here.
Let me give an example:
sgk@elf% make checksum
>> Checksum OK for libgcrypt-1.1.91.tar.gz.
>> Checksum OK for libgcrypt-1.1.91.tar.gz.sig.
=3D=3D=3D> Verifying GnuPG signature for libgcrypt-1.1.91.tar.gz
gpg: Signature made Fri Dec 19 13:43:36 2003 MSK using DSA key ID 57548DCD
gpg: Good signature from "Werner Koch (gnupg sig) <dd9jn@gnu.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owne=
r.
Primary key fingerprint: 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD
sgk@elf%
All this means to me is that the signature is correct, and whoever
signed the key had the same tarball I just downloaded. Again, this is in
addition to the regular MD5 checksumming (and frankly, I would believe
MD5 checksum more than GPG signatures for ports).
Please also note the warning text prduced by GPG. Obviously, I did not
sign this key (and most probably never will), so it is marked to be=20
"unknown" on the web of trust. There is no central authority that
certifies keys in PGP/GPG paradigm, but that is by design.
I have never met Werner Koch (the person who signed the tarball in my
example), and most probably never will. He is not associated with the
FreeBSD project, and as I said, I put more trust in the port's
maintainer and committers who track MD5 sum changes than into this
external entity. Nonetheless, an additional authenticity verification
is helpful (although not mandatory), even if it's theoretically subject
to compromise.
> i do suggest a change in your design, however. dont list two DISTFILE
> entries and try and work out the logic about which is a signature. have
> DISTFILE and DISTFILE_SIG, then you never had to question (and potentially
> make mistakes). it's also very clear to everyone what the file is.
Maybe. I just wanted the patch to be as unobtrusive to the existing
bsd.port.mk infrastructure as possible, while making it convenient to
use in port's Makefile.
> ps: i dont use pgp. if you ever see a key from me consider it invalid and
> probably compromised.
Hey, this shouldn't really matter to you, should it? 8-)
The proposed solution will be a NOOP in absence of ${LOCALBASE}/bin/gpg.
Sergei
--mojUlQ0s9EVzWg2t
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/8YfxFOxuaTulNAERAsAkAJ4zz8aZ1CC1qYXKp8DZCEjSm6JmmQCggXW2
4YdCW9ehffFkUZJu0kh02WY=
=bbI7
-----END PGP SIGNATURE-----
--mojUlQ0s9EVzWg2t--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031230141305.GB722>