Mark H Weaver writes: > Alex Kost <alez...@gmail.com> writes: > >> Ludovic Courtès (2015-10-05 18:55 +0300) wrote: >> >>> Alex Kost <alez...@gmail.com> skribis: >>> >>>> Ludovic Courtès (2015-10-04 19:57 +0300) wrote: >>>> >>>>> However, if this is “too convenient”, I’m afraid this would give an >>>>> incentive to not check OpenPGP signatures when they are available. >>>> >>>> Sorry, I have no idea what it means :-( >>> >>> When upstream digitally signs its source code tarballs, packagers should >>> check those signatures to authenticate the code they have. >>> >>> If the tool makes it too easy to fill out the ‘sha256’ field without >>> going through the trouble of downloading the ‘.sig’ file and checking >>> it, then people will have an incentive not to check those signatures. >> >> Oh, now I see what you mean. Well, I don't know, I think if a user has >> a habbit to check a signature, he will check it anyway; and if not, then >> not. > > I share Ludovic's concern. It is a serious problem if packagers fail to > check signatures. We should not provide mechanisms that encourage such > behavior. It jeopardizes the security of every user of those packages. > > IMO, we should rather be going in the other direction, to formalize and > automate the checking of signatures. IMO, our 'origin' objects should > include a set of fingerprints of acceptable GPG signing keys for that > package, as well as information on how to find the signature (in cases > where it cannot be guessed). > > This would have several beneficial effects: > > * If the packager downloaded a key belonging to a man-in-the-middle > (quite possible given that we rarely have a validated chain of trust > to the developer), then that bad key will be stored in our git repo > for all to see, allowing someone to notice that it's the wrong key. > > * When the package is later updated, it will not be possible for a new > man-in-the-middle attack to be made on us. If a new signing key is > used, we cannot fail to notice it. It will raise a red flag and we > can investigate. > > * It would strongly encourage packagers to do these checks, and make it > obvious to reviewers or users when the packager failed to do so. It > would also make it easy to find unsigned packages, so that we can > encourage upstream to start signing the packages, at least for the > most important ones. > > Also, our linter should download and check the signature, so that it's > easy for others to independently check the verification done by the > original packager. > > What do you think? > > Mark
This sounds great to me!
