[gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

[gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

[Ben de Groot]

[-- Attachment #1: Type: text/plain, Size: 2629 bytes --]

On Oct 17, 2012 6:57 AM, "Robin H. Johnson" <robbat2@gentoo.org> wrote:
>
> Hi all,
>
> One of the items that has come up in the Git conversion, and needs some
> attention.
>
> Previously, the PORTAGE_GPG_KEY variable has allowed ANY argument, and
> passed it to GPG, letting GPG use that. This was intended to explicitly
> be a unique identifier for a key (or subkey).
>
> However, it seems that there are signed commits with other values in the
> variable, and instead of something nice like:
> (Portage version: 2.2.0_alpha138/cvs/Linux x86_64, signed Manifest commit
> with key 0x586A3B1F)
> We have commits with:
> (Portage version: 2.2.0_alpha138/cvs/Linux x86_64, signed Manifest commit
> with key emailaddress)
>
> This makes validation harder, as we need to extract the identity of the
> key from the Manifest before we can proceed. Additionally, if a
> developer has multiple keys, possibly over time, we cannot use this
> string to identify what key was used easily.
>
> As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what
> was originally intended.
>
> - You must specify a key or subkey exactly.
> - The leading "0x" is optional.
> - If you want to use a subkey, per the PGP specifications, you must
>   suffix your keyid with "!".
> - Your keyid is exactly: 8, 16, 24, 32 xor 40 hexdigits long.
>
> Additionally, while we are NOT enforcing the use of long key-ids
> presently, I strongly encourage ALL developers to move to using them,
> due to known attacks against short ids:
> http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
> Long key-ids are the 16/24/32 hexdigit long versions of your key ids.

Why not enforce best practices and only accept the above long key-ids?

> Using your full fingerprint (40 hexdigit) is also possible, but doesn't
> allow you to select a subkey (subkeys don't have a full fingerprint).
> Additionally, we'll be chasing up LDAP to convert all entries there to
> long key-ids.
>
> Examples:
> ---------
> Recommended:
> PORTAGE_GPG_KEY='0123456789ABCEF'
> PORTAGE_GPG_KEY='0123456789ABCEF!'
> PORTAGE_GPG_KEY='0x0123456789ABCEF'
> PORTAGE_GPG_KEY='0x0123456789ABCEF!'
>
> Valid, but not recommended:
> PORTAGE_GPG_KEY='01234567'
> PORTAGE_GPG_KEY='ABCDEF01!'
> PORTAGE_GPG_KEY='0x01234567'
> PORTAGE_GPG_KEY='0xABCDEF01!'
> PORTAGE_GPG_KEY='0123456789ABCEF0123456789ABCEF0123456789'
>
> Invalid:
> PORTAGE_GPG_KEY='username'
> PORTAGE_GPG_KEY='username@domain.com'
>
> --
> Robin Hugh Johnson
> Gentoo Linux: Developer, Trustee & Infrastructure Lead
> E-Mail     : robbat2@gentoo.org
> GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

[-- Attachment #2: Type: text/html, Size: 3530 bytes --]

Re: [gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

[Robin H. Johnson]

On Wed, Oct 17, 2012 at 08:53:14AM +0800, Ben de Groot wrote:
> > Additionally, while we are NOT enforcing the use of long key-ids
> > presently, I strongly encourage ALL developers to move to using them,
> > due to known attacks against short ids:
> > http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
> > Long key-ids are the 16/24/32 hexdigit long versions of your key ids.
> Why not enforce best practices and only accept the above long key-ids?
Depending on the age of your key, this is not practical to check
quickly. It would require a call out to gpg to expand a given ID, and
see if it actually expands or is already expanded. That's actually why
the length check is so complicated.

If we don't mind forcing devs & anybody using the signing functionality
to replace old keys (they'd be well over a decade at this point), we can
drop the length=8 variation in the regex.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

[gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

[Patrick Lauer]

On 10/17/12 06:54, Robin H. Johnson wrote:
> Hi all,
> 
> One of the items that has come up in the Git conversion, and needs some
> attention.
> 
[snip]
> 
> As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what
> was originally intended.
> 
> - You must specify a key or subkey exactly.
> - The leading "0x" is optional.
> - If you want to use a subkey, per the PGP specifications, you must
>   suffix your keyid with "!".
> - Your keyid is exactly: 8, 16, 24, 32 xor 40 hexdigits long.

That's nice. Can we also add some basic policies on key format (key
length, validity) and get a centrally-hosted keyring?

Then it'd even make sense for us to start using the whole signing thing
now :)


Thanks,

Patrick

Re: [gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

[Rich Freeman]

On Tue, Oct 16, 2012 at 9:30 PM, Patrick Lauer <patrick@gentoo.org> wrote:
> That's nice. Can we also add some basic policies on key format (key
> length, validity) and get a centrally-hosted keyring?
>
> Then it'd even make sense for us to start using the whole signing thing
> now :)

Well, if we're going to do that give some thought to also whether the
sigs need to be by Gentoo devs, and also think about any implications
of the move to git.  That is, unless we want to just go through all of
that all over again.

PKI becomes a nightmare if anybody but devs sign, and when we move to
git it won't really be possible to have anybody else sign anyway
unless we allow merge commits, which is just a whole different mess.
The trustees are already wrestling with what to do about non-dev
foundation members who lose their gpg keys and thus can't sign ballots
or prove who they are.  (Let's not do that debate in this thread -
just an example of the PKI problem.  If you have any concerns either
send them to trustees@ or gentoo-nfp and keep them off this list.)

Rich

Re: [gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

[Peter Stuge]

Rich Freeman wrote:
> PKI becomes a nightmare if anybody but devs sign, and when we move to
> git it won't really be possible to have anybody else sign anyway
> unless we allow merge commits, which is just a whole different mess.

I'm not sure? Signatures can be made on anything by anyone and stored
as-is - the question is if and why they will be trusted for anything
and while interesting I think that's a separate topic?

I mean: Don't confuse commit signatures with repository access control.


//Peter

[gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1669 bytes --]

On Tue, 16 Oct 2012 22:54:04 +0000
"Robin H. Johnson" <robbat2@gentoo.org> wrote:

> Previously, the PORTAGE_GPG_KEY variable has allowed ANY argument, and
> passed it to GPG, letting GPG use that. This was intended to explicitly
> be a unique identifier for a key (or subkey).
> 
> However, it seems that there are signed commits with other values in the
> variable, and instead of something nice like:
> (Portage version: 2.2.0_alpha138/cvs/Linux x86_64, signed Manifest commit
> with key 0x586A3B1F)
> We have commits with:
> (Portage version: 2.2.0_alpha138/cvs/Linux x86_64, signed Manifest commit
> with key emailaddress)
> 
> This makes validation harder, as we need to extract the identity of the
> key from the Manifest before we can proceed. Additionally, if a
> developer has multiple keys, possibly over time, we cannot use this
> string to identify what key was used easily.
> 
> As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what
> was originally intended.
> 
> - You must specify a key or subkey exactly.
> - The leading "0x" is optional.
> - If you want to use a subkey, per the PGP specifications, you must
>   suffix your keyid with "!".
> - Your keyid is exactly: 8, 16, 24, 32 xor 40 hexdigits long.

Isn't that fixing the issue from the wrong end?

I agree that the keyids in commit messages should follow some kind
of spec. But I rather think that portage should be modified to convert
any supported argument to follow that spec rather than the spec being
forced into the configuration file.

Also, will that matter anymore after the git conversion?

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 316 bytes --]

Re: [gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

[Zac Medico]

On 10/17/2012 12:16 AM, Michał Górny wrote:
> On Tue, 16 Oct 2012 22:54:04 +0000
> "Robin H. Johnson" <robbat2@gentoo.org> wrote:
>> As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what
>> was originally intended.
>>
>> - You must specify a key or subkey exactly.
>> - The leading "0x" is optional.
>> - If you want to use a subkey, per the PGP specifications, you must
>>   suffix your keyid with "!".
>> - Your keyid is exactly: 8, 16, 24, 32 xor 40 hexdigits long.
> 
> Isn't that fixing the issue from the wrong end?
> 
> I agree that the keyids in commit messages should follow some kind
> of spec. But I rather think that portage should be modified to convert
> any supported argument to follow that spec rather than the spec being
> forced into the configuration file.

If you file a bug and tell me what gpg commands to run, then I'll add it
to repoman.

> Also, will that matter anymore after the git conversion?

The repoman PORTAGE_GPG_KEY validation is only triggered if layout.conf
does not specify "sign-manifests = false":

http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=d40c242a4c9a9b666fd8730734b149bce2dd7cd9
-- 
Thanks,
Zac

Re: [gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

[Kacper Kowalik]

[-- Attachment #1: Type: text/plain, Size: 1008 bytes --]

On 17.10.2012 03:30, Patrick Lauer wrote:
> On 10/17/12 06:54, Robin H. Johnson wrote:
>> Hi all,
>>
>> One of the items that has come up in the Git conversion, and needs some
>> attention.
>>
> [snip]
>>
>> As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what
>> was originally intended.
>>
>> - You must specify a key or subkey exactly.
>> - The leading "0x" is optional.
>> - If you want to use a subkey, per the PGP specifications, you must
>>   suffix your keyid with "!".
>> - Your keyid is exactly: 8, 16, 24, 32 xor 40 hexdigits long.
> 
> That's nice. Can we also add some basic policies on key format (key
> length, validity) and get a centrally-hosted keyring?
> 
> Then it'd even make sense for us to start using the whole signing thing
> now :)

Additionally, can any consensus achieved here be documented right away?
e.g. here [1] or @devmanual.g.o
Cheers,
Kacper

[1] http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 900 bytes --]