On 04/08/2018 07:49 AM, Florian Pritz via aur-general wrote: > On 08.04.2018 05:01, Eli Schwartz via aur-general wrote: >> If you're really afraid of someone running as either your user, or some >> user with the power to hijack your SSH session, while you're trying to >> sign something, then they could just switch out your built files anyway. >> There's literally no solution there, except to build everything on your >> machine and not use soyuz at all. "clave" won't help either, because >> it's got the same fundamental problem of not actually being your trusted >> machine from beginning to end. > > Yes, the built files may not be trustworthy if an attacker is present, > but the potential scope of this is limited to our package files. > > The problem with agent forwarding is that people generally configure > their agent to cache passwords so they don't have to unlock their keys > all the time. With that in mind, an attacker can just request that the > agent signs something after the package has been signed and there won't > be any dialog popping up. That includes trust signatures on the > attacker's key or just messages to prove that they are someone else. > > Also people might have more than one key in their agent. If you have gpg > and ssh keys in there, the attacker can just connect to other machines > by using your forwarded agent's ssh key. Also, again there probably > won't be a prompt since the password is usually cached.
Right, like I said/implied the problem was ill-defined. It's a configuration issue, not a conceptual problem with gpg forwarding being fundamentally a violation of PGP trust. -- Eli Schwartz Bug Wrangler and Trusted User
Description: OpenPGP digital signature