Hi, On Fri, 17 Jul 2015 10:18:14 +0200 Kristian Fiskerstrand wrote: > > Additionally, I feel that a signature is a means of acknowledging > > that a package has been looked over, and that developer has stated > > that they approve of the existing state. I'm not sure if others > > agree with that sentiment, > > I appreciate that you bring up this point. I would expect that part of > that state is for the developer to verify the source distfile from > upstream using OpenPGP / GnuPG as well, i.e not just rely on TOFU > (trust on first use). This also means keeping a (locally) certified > copy of the upstream distribution key that is reasonably verified by > the developer.
Let me point another issue related to discussion above. It would be nice to have cryptographic verification of already installed packages. This will help in forensics and security audit of the systems, so that even without external snapshot of the system it will be possible to check for malicious changes of installed packages. Right now we have /var/db/pkg/$cat/$name/CONTENTS file with such data, but: 1. It uses md5 for file checksums. 2. It is not signed. So my proposal is: 1. Switch to more cryptographically secure hash (e.g. sha512 or whirlpool). 2. Add an optional feature to emerge (or even to PMS?) allowing user to provide a usable GPG key for signing packages CONTENTS files after its generation. In order for such key to be usable during emerge run, gpg-agent should be used; alternatively it may be allowed to sign already installed packages on a trusted system. 3. Of course backward compatibility with old CONTENTS format should be kept. This proposal is not my own whim: I have requests from users for such functionality which is quite wanted on production setups. Best regards, Andrew Savchenko
pgp4K_suNHEWK.pgp
Description: PGP signature
