Date: Mon, 29 Dec 2003 09:34:39 +0300 From: Sergei Kolobov <sergei@FreeBSD.org> To: Jason Harris <jharris@widomaker.com>, Jose Nazario <jose@monkey.org> Cc: freebsd-ports@FreeBSD.org Subject: RFC: automatically verify GnuPG signatures Message-ID: <20031229063439.GA794@chetwood.ru> In-Reply-To: <20031229000800.GF7186@pm1.ric-22.lft.widomaker.com> <Pine.BSO.4.58.0312281644350.15545@naughty.monkey.org> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> References: <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <Pine.BSO.4.58.0312281644350.15545@naughty.monkey.org> <20031229000800.GF7186@pm1.ric-22.lft.widomaker.com> <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <Pine.BSO.4.58.0312281644350.15545@naughty.monkey.org> <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable (cc'd to freebsd-ports for broader discussion) Some background for the list subscribers: I have recently submitted a patch for bsd.port.mk to enable automatic verification of GnuPG signatures (for those ports that provide them) at 'make checksum' phase. See http://www.freebsd.org/cgi/query-pr.cgi?pr=3D60558 for details. Jason Harris commented (privately) that .asc suffix is much more common these days. (My patch defaults to .sig suffix). On 2003-12-28 at 16:07 -0500, Jason Harris wrote: > OK, I just finished a (crude) survey and found that > ~4% of FreeBSD's ports' distfiles are PGP-signed: >=20 > databases 8 > devel 25 > ftp 7 > mail 46 > misc 19 > net 39 > security 59 > sysutils 26 > www 24 > all others 135 > ---------- --- > total 388 >=20 >=20 > 245 have .asc extensions, 136 have .sig extensions, one (web) server > returned .sign when asked for .sig: I have also seen .sig.asc suffix. ;) In any case, if .asc is indeed much more common suffix for detached signatures, it is trivial to modify the patch to change that default. > Whether all these signers have their keys on the keyservers > (ports/security is 100% but I haven't checked the others) and > all these signatures verify is still unknown, but I'll likely > try to determine that next. That shouldn't really matter. The patch just makes a best-effort to check a signature, but failure to do so is *NOT* catastrophic. After all, it does NOT replace the current MD5 checksum mechanism, but is *in addition* to it. Moreover, if a lot of people believe that automatically fetching public keys from a keyserver will create a security risk, then I can add a knob to disable that behavior by default (even though I think it would make the whole mechanism a lot less useful). By the way, my choice of pgp.mit.edu as the default keyserver (overridable) is also open for discussion. Now, there was another opinion on the subject in general: On 2003-12-28 at 16:49 -0500, Jose Nazario wrote: > i'm against it for the following reasons: >=20 > - the ease with which the system can be subverted > - the continual quality issues in gnupg These two points may have some value in them ;) but remember - we still have MD5 checksum as I just mentioned above. GPG signatures are just an additional level of verification. > - the license on gnupg and the aims of the bsd project Not applicable - we are not bringing GPG into the base system. 8-) > - yet another dependency It does *NOT* add GPG as a dependency. It does signature verification=20 if (and only if) GPG is *ALREADY* present on your system. If GPG is not found, it just displays a harmless warning message. > all of those alone are enough reason for me to dislike it, and together > they just completely nullify any value for my for this capability. I like the patch. 8-)=20 YMMV ;) > i'm far more pleased with the current mechanisms we use in bsd with > cryptographic hashes, this caught a number of incidents in the past two > years. while we lack any mechanism of verifying them beyond "this is what > i think was supposed to be downloaded" and "this is what everyone else has > for a hash", it's worked very well. I am fine with MD5 checksums, too. I am not saying GPG signatures should replace them.=20 On 2003-12-28 at 19:08 -0500, Jason Harris wrote: > The prime value of automatically checking PGP signatures is so people > who know enough about a software distribution, its author, and/or its > author's PGP key(s) can more easily spot discrepancies in the form of > newer signatures on existing revisions (stolen key, trojaned distfile), > signatures made by unexpected keys (bogus key, trojaned distfile), > and signatures made by untrusted keys (legitimate key that needs more > signatures). Also, having even unfamiliar people looking at the GPG > output as they fetch the tarballs, signatures, and keys anew is quite > valuable. With more eyes on the ball, even the newbie who signs all > keys on their keyring and then notices a signature by a new, untrusted > key during a port upgrade will have the potential to stop trojans. Exactly my point! Being able to confirm the authenticity of the tarball(s) by another mean in addition to the MD5 checksum should give more confidence to the admin installing the port, IMHO. Sergei --BOKacYhQ+x31HxR3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/78r/FOxuaTulNAERAtEqAJ9FowNAefbEwR5bWTpMydGhN7YprwCfZ0KT irJiH77H8oESci+QJREw/Gk= =nEY3 -----END PGP SIGNATURE----- --BOKacYhQ+x31HxR3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031229063439.GA794>