On Mon, Apr 29, 2013 at 1:31 PM, Dennis E. Hamilton <[email protected]> wrote: > Off-hand, I can't imagine how your public key is useful to a code-signing > plug-in. > > I can confirm that the instructions for import of the KEYS certificates into > GPG do work. > > My understanding is that KEYS is useful for someone who wants to verify the > signatures on releases. In general, it is preferable for the public keys (or > at least the fingerprint) to be obtained from an independent, secure location > that is uniquelly associated with the committer whose PGP public key is > sought. >
That might be true of the public key was by itself. In that case you would only be able to tell that the signature was from someone who claims to be Florian, but you would not know whether he really was. But the GPG approach is based on a "web of trust" model. If I can confirm that your key is actually from you and you can convince me that you are who you claim to be, then I can sign your key with my key. I post that info to a public keyserver, and someone else can verify this info. And my key is then signed by someone else, etc. So we have a web of people asserting their trust of a given key. So in the end it doesn't matter where the key is actually retrieved from. It could be on my website, in SVN, wherever. You only trust it if you have direct knowledge of its validity, or you trust someone who has this knowledge, directly or via someone they directly trust. -Rob > The files at <https://people.apache.org/keys/committer/> qualify, since the > retrieved public keys are based on a fingerprint that requires access to your > Apache Committer account to establish. The keys folder is kept secure by ASF > Infrastructure. Synchronization with public key servers is automated. Also, > there is a file <https://people.apache.org/keys/group/> that has all public > keys for an individual project (e.g., office.asc for all committers of Apache > OpenOffice that have committer keys). > > > - Dennis > > PS: It is not clear to me how the signatures are ever made available in > conjunction with the distributed binaries and source tarballs. They may be > more for internal reviews and assurance of release-candidate integrity. > I notice that the download of Apache OpenOffice 3.4.1 has two hashes and > an ASC digital signature file, but there is no indication of whose public key > is needed in order to verify the signature [;<). The external signature > themselves are served from, e.g., > <http://www.apache.org/dist/incubator/ooo/files/stable/3.4.1/>, even when the > various .tar.gz, .dmg, and .exe files are served from mirror sites. Note > that the instructions (e.g., > <http://www.openoffice.org/download/checksums/3.4.1_checksums.html#howto>) > instruct obtaining the complete set of committer keys in office.asc and then > checking the separately-provided external signature with the > separately-provided download. > It appears that, beside the ceremonial satisfaction of creating these > signatures, the threat model and usability with respect to delivery to > end-users needs to be revisited. > > -----Original Message----- > From: Florian Hopf [mailto:[email protected]] > Sent: Monday, April 29, 2013 01:08 > To: [email protected] > Subject: Re: KEYS > > Hi, > > On 26.04.2013 18:34, Dennis E. Hamilton wrote: >> I'm not sure why this is on odf/trunk. It may work better to only have your >> Apache IDs and the PGP fingerprints in KEYS. > > I expected that this is in some way to be needed by the code signing > plugin but I didn't really check. > >> >> Either way, it is valuable for you to provide your public keys at >> <https://people.apache.org/keys/committer/>. Do this by logging onto >> <https://id.apache.org/> and providing your key information. (You can have >> multiple keys there.) >> >> The keys associated with your Apache account are automatically updated from >> PGP public-key services. These are the ones that will have current >> counter-signatures and for which revocation/expiration is presumably noticed. > > Thanks for the hint, I will update my information. > > Regards > Florian > >> >> >> - Dennis >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> Sent: Friday, April 26, 2013 04:38 >> To: [email protected] >> Subject: svn commit: r1476146 - /incubator/odf/trunk/KEYS >> >> Author: fhopf >> Date: Fri Apr 26 11:37:38 2013 >> New Revision: 1476146 >> >> URL: http://svn.apache.org/r1476146 >> Log: >> added code signing key to KEYS >> >> Modified: >> incubator/odf/trunk/KEYS >> >> Modified: incubator/odf/trunk/KEYS >> URL: >> http://svn.apache.org/viewvc/incubator/odf/trunk/KEYS?rev=1476146&r1=1476145&r2=1476146&view=diff >> [ ... ] >> >> >> > > > -- > Florian Hopf > Freelance Software Developer > > http://blog.florian-hopf.de >
