> From: orc...@apache.org > To: general@incubator.apache.org > Subject: RE: Code signing and WOT for releases > Date: Thu, 28 Jul 2016 10:05:05 -0700 > > > > > -----Original Message----- > > From: Martin Gainty [mailto:mgai...@hotmail.com] > > Sent: Thursday, July 28, 2016 05:13 > > To: general@incubator.apache.org > > Subject: RE: Code signing and WOT for releases > > > > 4) how to find a public key certificate matching the ID in the signature > > and how to check that the private key is asserted to be in the > > possession of the person controlling orc...@apache.org[orcmid] if you are > > *not* > > using assertions how would this be accomplished? > [orcmid]
> That's correct, there is no technical assertion mechanism in OpenPGP. I > should not have used that term. MG>apologies from my end but the build engineer in me wants to see if all these steps can be automated > > What constitutes the equivalent of an *attestation* in WOT is the > counter-signing of a public key by another. That is taken as an attestation > that an identified individual claimed authority over the private key by > virtue of the fingerprint, the User ID, and in-person confirmation of > identification. > > In the case of controlling orcmid@ apache.org, the evidence is that the > person having control of that account (Apache Committer ID orcmid) placed the > fingerprint in his private account record and the system retrieved the key > with that fingerprint and placed it at > <http://people.apache.org/keys/committer/orcmid.asc>. mg>these are covered by gpg plugin attributes for maven @ http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html That is retrieval from Internet key servers periodically and will reflect any counter-signing by others as well as any revocation. mg> unfortunately in my builds CRL attestations are handled by a JSSE code (assuming an non-self-signed X509 cert does exist) > There's more to be said about that particular certificate, and other attestations that apply to it, but we can stop here unless you are curious about that. MG>yes I would > > - Dennis > > > MG> Thanks Dennis, MG> Martin > > ______________________________________________ > > > > > > > > > From: dennis.hamil...@acm.org > > > To: general@incubator.apache.org > > > Subject: RE: Code signing and WOT for releases > > > Date: Wed, 27 Jul 2016 10:01:59 -0700 > > > > > > > > > > -----Original Message----- > > > > From: Martin Gainty [mailto:mgai...@hotmail.com] > > > > Sent: Wednesday, July 27, 2016 08:06 > > > > To: general@incubator.apache.org > > > > Subject: RE: Code signing and WOT for releases > > > > > > > > > > > > > > > > > From: dennis.hamil...@acm.org > > > > > To: general@incubator.apache.org > > > > > Subject: RE: Code signing and WOT for releases > > > > > Date: Tue, 26 Jul 2016 10:33:13 -0700 > > > > > [ ... ] Yesterday, I received an email from one of the users who > > > > received a security advisory message that I signed. The user's mail > > > > reader reported that the signature was untrusted (no surprise) and > > that > > > > the signature was BAD. Since the mail reader shows the stripped > > > > message, and it looks perfectly fine, there is no way to help > > analyze > > > > that from my end. > > > > > > > > > > What I did do was (1) verify the message that was sent to me from > > the > > > > list and (2) verify the message in the list archive. I then (3) > > advised > > > > the recipient what I did and also (4) how to find a public key > > > > certificate matching the ID in the signature and how to check that > > the > > > > private key is asserted to be in the possession of the person > > > > controlling orc...@apache.org and how the individual having control > > of > > > > that email address is associated with the ASF. > > > > > > > > MG>can we assume the key was converted to PKCS8 before asserting the > > > > key? > > > > http://stackoverflow.com/questions/5230942/how-to-read-a-private- > > key- > > > > for-use-with-opensaml > > > > > > > > MG>and then built new SignatureBuilder().buildObject() Signature > > with > > > > key locations before assigning > > > > assertion.setSignature(___)?http://www.programcreek.com/java-api- > > > > examples/index.php?api=org.opensaml.xml.signature.Signature > > > > > > > > MG>/thanks dennis/ > > > [orcmid] > > > > > > This signing had nothing to do with MIME-signatures or SSL. It is a > > plaintext message that has a "clearsign" OpenPGP signed section in-line > > in the message body. (The signed part was created first and then pasted > > into the plaintext email.) You can see the archived form at > > > <http://mail-archives.apache.org/mod_mbox/openoffice- > > announce/201607.mbox/browser> where it is the only message there. At the > > bottom of the HTML-formatted display of the message, select the "Unnamed > > text/plain" link to see a cleaner plaintext. > > > > > > This is not unlike the .asc files that can be made as external PGP > > signatures of code, except it is inline instead of external to the file > > being signed. > > > > > > > > > > > > > (I made another check of the archived message too. The raw form > > of > > > > the message fails to verify when downloaded and that appears to be > > on > > > > account of some encoding features that have to be processed properly > > for > > > > the original text to be reconstituted properly. That might or might > > not > > > > be relevant to how that recipient's email reader handles PGP > > > > > signatures.) > > > [orcmid] > > > > > > (If you look at the raw version on the archive, you will see a pile of > > =20 line endings that make the raw form unverifiable. And because the > > signature block has a line ending in =, there is an appended raw "3D" > > that breaks the whole thing. A client that does not restore the > > plaintext before checking the signature will claim that the signature is > > "BAD".) > > > > > > PS: I sent the same message to a colleague who has a PGP-aware email > > client, and the message verified automatically and was presented without > > the boundaries and the signature block. Instead, there was a marker > > that indicated the part of the message that was signed. So it would > > appear that the person who reported to me encountered an > > interoperability failure. > > > > > > > > [ ... ] > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org >