From owner-freebsd-ports@FreeBSD.ORG Tue Dec 30 06:13:36 2003 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 337B616A4CE for ; Tue, 30 Dec 2003 06:13:36 -0800 (PST) Received: from outpost.globcon.net (outpost.globcon.net [62.141.88.161]) by mx1.FreeBSD.org (Postfix) with SMTP id 3675643D45 for ; Tue, 30 Dec 2003 06:13:25 -0800 (PST) (envelope-from sergei@FreeBSD.org) Received: (qmail 16729 invoked from network); 30 Dec 2003 14:13:25 -0000 Received: from agdcgw01.akingump.com (HELO kolobov.com) (12.40.174.2) by outpost.globcon.net (62.141.88.161) with SMTP; 30 Dec 2003 14:13:25 -0000 Received: (qmail 1973 invoked by uid 911); 30 Dec 2003 14:13:05 -0000 Date: Tue, 30 Dec 2003 17:13:05 +0300 From: Sergei Kolobov To: Jose Nazario Message-ID: <20031230141305.GB722@chetwood.ru> Mail-Followup-To: Jose Nazario , Jason Harris , freebsd-ports@FreeBSD.org References: <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <20031229000800.GF7186@pm1.ric-22.lft.widomaker.com> <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <20031225134736.86816.qmail@kolobov.com> <20031228210730.GD7186@pm1.ric-22.lft.widomaker.com> <20031229063439.GA794@chetwood.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mojUlQ0s9EVzWg2t" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.3i cc: Jason Harris cc: freebsd-ports@FreeBSD.org Subject: Re: RFC: automatically verify GnuPG signatures X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2003 14:13:36 -0000 --mojUlQ0s9EVzWg2t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Jose, On 2003-12-30 at 08:34 -0500, Jose Nazario wrote: > i'm still against this. here's a scenario that is all too common: >=20 > you download package foo-1.2 for building with the ports tree, it has a > sig. you dont have the key, so you import it. do you trust it? you're the > discriminating sort, so you look at the signatures and you see that Jose > Nazario signed it. hey, you know him, oh, he has a key. so you say "ok". >=20 > without tying that key back to the large, strong set of signed keys, you > don't know for sure. about 1/3 of the packages i sampled last year don't > map back to the strong set, so you can't do realistic key lookups.=20 I don't think I follow your logic here. Let me give an example: sgk@elf% make checksum >> Checksum OK for libgcrypt-1.1.91.tar.gz. >> Checksum OK for libgcrypt-1.1.91.tar.gz.sig. =3D=3D=3D> Verifying GnuPG signature for libgcrypt-1.1.91.tar.gz gpg: Signature made Fri Dec 19 13:43:36 2003 MSK using DSA key ID 57548DCD gpg: Good signature from "Werner Koch (gnupg sig) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owne= r. Primary key fingerprint: 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD sgk@elf% All this means to me is that the signature is correct, and whoever signed the key had the same tarball I just downloaded. Again, this is in addition to the regular MD5 checksumming (and frankly, I would believe MD5 checksum more than GPG signatures for ports). Please also note the warning text prduced by GPG. Obviously, I did not sign this key (and most probably never will), so it is marked to be=20 "unknown" on the web of trust. There is no central authority that certifies keys in PGP/GPG paradigm, but that is by design. I have never met Werner Koch (the person who signed the tarball in my example), and most probably never will. He is not associated with the FreeBSD project, and as I said, I put more trust in the port's maintainer and committers who track MD5 sum changes than into this external entity. Nonetheless, an additional authenticity verification is helpful (although not mandatory), even if it's theoretically subject to compromise. > i do suggest a change in your design, however. dont list two DISTFILE > entries and try and work out the logic about which is a signature. have > DISTFILE and DISTFILE_SIG, then you never had to question (and potentially > make mistakes). it's also very clear to everyone what the file is. Maybe. I just wanted the patch to be as unobtrusive to the existing bsd.port.mk infrastructure as possible, while making it convenient to use in port's Makefile. > ps: i dont use pgp. if you ever see a key from me consider it invalid and > probably compromised. Hey, this shouldn't really matter to you, should it? 8-) The proposed solution will be a NOOP in absence of ${LOCALBASE}/bin/gpg. Sergei --mojUlQ0s9EVzWg2t Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/8YfxFOxuaTulNAERAsAkAJ4zz8aZ1CC1qYXKp8DZCEjSm6JmmQCggXW2 4YdCW9ehffFkUZJu0kh02WY= =bbI7 -----END PGP SIGNATURE----- --mojUlQ0s9EVzWg2t--