On 04/08/2018 07:49 AM, Florian Pritz via aur-general wrote:
> On 08.04.2018 05:01, Eli Schwartz via aur-general wrote:
>> If you're really afraid of someone running as either your user, or some
>> user with the power to hijack your SSH session, while you're trying to
>> sign something, then they could just switch out your built files anyway.
>> There's literally no solution there, except to build everything on your
>> machine and not use soyuz at all. "clave" won't help either, because
>> it's got the same fundamental problem of not actually being your trusted
>> machine from beginning to end.
> Yes, the built files may not be trustworthy if an attacker is present,
> but the potential scope of this is limited to our package files.
> The problem with agent forwarding is that people generally configure
> their agent to cache passwords so they don't have to unlock their keys
> all the time. With that in mind, an attacker can just request that the
> agent signs something after the package has been signed and there won't
> be any dialog popping up. That includes trust signatures on the
> attacker's key or just messages to prove that they are someone else.
> Also people might have more than one key in their agent. If you have gpg
> and ssh keys in there, the attacker can just connect to other machines
> by using your forwarded agent's ssh key. Also, again there probably
> won't be a prompt since the password is usually cached.

Right, like I said/implied the problem was ill-defined. It's a
configuration issue, not a conceptual problem with gpg forwarding being
fundamentally a violation of PGP trust.

Eli Schwartz
Bug Wrangler and Trusted User

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to