On 04/07/2018 07:55 AM, Levente Polyak via aur-general wrote:
> On April 7, 2018 8:23:08 AM GMT+02:00, Pierre Neidhardt via aur-general 
> <aur-general@archlinux.org> wrote:
>>
>> To perform the complete operation on soyuz, we need to forward the
>> gpg-socket (and the SSH socket if different) to soyuz, which defeats
>> the PGP
>> / Web of Trust security model: for a person with root access to soyuz,
>> the private key is only one passphrase away.
>>
>> Thoughts?
>>
> 
> Yes, truly defeats it. I explicitly do not recommend forwarding it to the 
> build server.
> For not doing that, you will most likely need to download the final artifacts 
> for signing. If I recall correctly we had a discussion on that topic with 
> Bluewind, jelle and grazzolini and someone wanted to rephrase the section 
> with better recommendations.
> 
> Cheers,
> Levente 

I don't understand how it "defeats the PGP/Web of Trust model", if there
is no way to get the key itself, and an attacker can only generate
signatures, during a limited window of opportunity, *if* they can forge
a valid request to *your* computer.

I'm not sure how even the passphrase helps, not that an attacker should
be able to exploit that in said limited window of opportunity... because
from what I've seen of using the gpg-agent-extra forwarding, it tries to
ask your gpg-agent for a signature, and then gpg-agent itself spawns the
pinentry dialog *on your computer*.

The only vulnerability I could see is if you have no passphrase
(gpg-agent-extra IMHO should be smart enough to still ask yes/no for
remote access) or you type in your password in a situation where it is
the attacker's request, not your own. (But if you don't remember asking
for it, why do you type your passphrase in? Or alternatively, why is
failure to end up with a signature for what you wanted, not itself a red
flag?) But I think the main issue with gpg forwarding was supposed to be
losing your key to attacks which are not necessarily simultaneous with
your SSH session...

If you're really afraid of someone running as either your user, or some
user with the power to hijack your SSH session, while you're trying to
sign something, then they could just switch out your built files anyway.
There's literally no solution there, except to build everything on your
machine and not use soyuz at all. "clave" won't help either, because
it's got the same fundamental problem of not actually being your trusted
machine from beginning to end.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to