Re: [gentoo-dev] Manifest signing

["Robin H. Johnson" <robbat2@gentoo.org>]

On Thu, Nov 03, 2011 at 10:55:52PM +0100, enno+gentoo@groeper-berlin.de wrote:
> >> If it is (also) for the users, why is there no code for it in portage
> >> anymore [3]?
> > Hmm, I hadn't see that removal, but it makes sense unless the entire
> > tree is developer-signed, which isn't likely to happen soon.
> I don't agree here. Of course the implementation shouldn't stop the user
> from installing an unsigned package at the moment. But it could give a
> warning instead and ask the user what to do.
> In this way developers are encouraged to sign their packages (to make
> the warning go away) and users get the ability to check the signatures,
> that already exist.
> Key problem here is the Gentoo keyring (how to ensure it didn't get
> manipulated).
Distributing the keyring itself signed is how Debian does it IIRC.

> > There's a chicken & egg problem with most signing. You need to
> > communicate the valid keys out of band from the actual repo.
> > Maybe the layman data is a good place for that, but until such a
> > location is figured out, you have zero security gain (if the 'correct'
> > keys are only listed in a file in the repo, any attacker just replaces
> > that when he puts his other content in).
> Of course. But security is always worth thinking about it.
> First step: What are the possibilities the check the signatures? FAIL.
> In my case some (most?) of the users of my overlay should know my GPG
> key already. The web of trust works here. The drawback for possible
> other users would be a false sense of security.
That's why I say the gpg key should be in the layman data.
Overlays team, do you think this is reasonable?

> > There was a prototype keyserver at one point as well, and I can generate
> > new keyrings if needed based on the LDAP data.
> This could be okay for a first creation. Later I would prefer something
> like Debian does:
> http://keyring.debian.org/replacing_keys.html
> That way you would decouple the LDAP and the keyring and trust only the
> data, that is already in the keyring (somebody whose key is already in
> the keyring signing the request for a new key).
> See also: http://keyring.debian.org/
> Perhaps the prototype keyserver already did something like that.
The Debian model was discussed, and the main problem was finding enough
people to sign the keys near all of the devs, esp. if you require
meeting in person.

You need two factors to be able to change your GPG key on file anyway.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85