From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RLZYS-00033S-HJ for garchives@archives.gentoo.org; Wed, 02 Nov 2011 12:04:28 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1E10321C0F1; Wed, 2 Nov 2011 12:04:17 +0000 (UTC) Received: from v230301196.yourvserver.net (static.141.236.40.188.clients.your-server.de [188.40.236.141]) by pigeon.gentoo.org (Postfix) with ESMTP id 718FE21C04E for ; Wed, 2 Nov 2011 12:03:38 +0000 (UTC) Received: from enno-nb.cms.hu-berlin.de ([141.20.9.191]) by v230301196.yourvserver.net with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1RLZXd-0000Hd-Mm for gentoo-dev@lists.gentoo.org; Wed, 02 Nov 2011 13:03:37 +0100 Message-ID: <4EB13189.4000500@groeper-berlin.de> Date: Wed, 02 Nov 2011 13:03:21 +0100 From: enno+gentoo@groeper-berlin.de User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110922 Lightning/1.0b2 Thunderbird/3.1.15 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Manifest signing References: <4E848879.2050100@gentoo.org> In-Reply-To: <4E848879.2050100@gentoo.org> X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig48543BC0C5C73D983996E4CD" X-Authenticated-User: enno@groeper-berlin.de X-Authenticator: plain X-Exim-Version: 4.72 (build at 12-May-2011 18:51:33) X-Date: 2011-11-02 13:03:37 X-Connected-IP: 141.20.9.191:52876 X-Message-Linecount: 95 X-Body-Linecount: 81 X-Message-Size: 3878 X-Body-Size: 3292 X-Archives-Salt: 8f6b75cb-2c31-40a4-bf87-046d192d79b8 X-Archives-Hash: fd20bef4f50300337b5908a096fe78d4 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig48543BC0C5C73D983996E4CD Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hello, Am 29.09.2011 17:02, schrieb Anthony G. Basile: > Hi everyone, >=20 > The issue of Manifest signing came up in #gentoo-hardened channel ... > again. Its clearly a security issue and yet many manifests in the tree= > are still not signed. Is there any chance that we can agree to reject > unsigned manifests? Possibly a question for the Council to adjudicate?= I followed the threads about manifest signing with interest and even had a look at the manifest signing guide [4]. Sounds nice at first view. But, please correct me, if I'm wrong. I didn't find a place where these signatures are verified. Is manifest signing for the infrastructure team, enabling them to verify the author of a commit (see GLEP57 [1])? Wouldn't this be obsoleted by commit signing if the move to git is done ([2])? If it is (also) for the users, why is there no code for it in portage anymore [3]? Okay "why" is clear. Obviously nobody was maintaining it... I thought about signing the manifests of my overlay. But this is senseless, if there is no automatic check. I can't think of any user verifying manifest signatures by hand. To me it looks like there are repeating complaints about missing signatures, but I don't see any verification methods for existing manifest signatures. At the moment there are 10608 of 15085 manifests signed in my portage tree. But I can't check them, because I don't have the public keys and if I fetch them from a public keyserver, I still don't know, if they really belong to the corresponding Gentoo developers. Is there some kind of Gentoo Keyring I don't know of? How does infrastructure team check, if a GPG key belongs to a developer? The Manifest signing guide [4] simply says "Upload the key to a keyserver". Everbody can upload a key to the public keyservers. An attacker, able to modify a signed Manifest, could simply create a new key on the developers name and use it to sign the modified manifest. Therefore it must be clear which key really belongs to a dev. Furthermore the Tree-Signing-GLEPs [5] seem to be incomplete. This looks like the right place to continue work on Tree Signing. Regards, Enno [1] http://www.gentoo.org/proj/en/glep/glep-0057.html [2] http://archives.gentoo.org/gentoo-dev/msg_91813ec042831af2fd688e7ecfae494= 3.xml [3] http://git.overlays.gentoo.org/gitweb/?p=3Dproj/portage.git;a=3Dcommit;h=3D= 4c16649d121dca977b3c569f03c5d1b194b635d4 [4] http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=3D2&c= hap=3D6 [5] http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/users/robbat2/tree-si= gning-gleps/ --------------enig48543BC0C5C73D983996E4CD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6xMYoACgkQbiJHlhuCCmuovgCfbbxUCWMjZ2/lOGD1XYdmAihr MPUAnR4keiztwVX5Ln4t5VLOiWyCoZKY =GtOO -----END PGP SIGNATURE----- --------------enig48543BC0C5C73D983996E4CD--