Simon Wilkinson wrote:
I think that regardless of whether or not you protect the signing key,
you're trusting that the build host hasn't been compromised. If it
has, an adversary could do anything to your rpm _before_ it gets
signed by a protected key (or 100 other ways someone who has
compromised the host can defeat the signing process).
Indeed. That was my point. None of the other mechanisms for signing
(attended keys, organisational keys ...) actually give you any more
assurance about RPM integrity than a random key that resides on the disk
of the build machine and says "Machine X built this RPM".
I would disagree. If I see an RPM signed with "The One True Simon
Wilkinson Key", as opposed to "Machine X" key, I would infer that to the
extent I know Simon (he's written some good code, and he talks pretty
good to a room full of people), I would guess he hasn't hacked back
doors into the openafs RPMs he's signed, and that he hasn't allowed his
build host to be compromised, etc. Likewise "The One True Openafs.org
Key." Not so "Machine X" key. A signing key is the "Quality assurance"
stamp of its owner. To me, it puts the reputation of the owner on the
line for whatever it signs.
I think the question here is, who is taking responsibility for the
RPMs? If these are Simon Wilkinson RPMs, then I think it's fine for
them to be signed by Simon. If openafs.org is asserting that the RPMs
are somehow blessed by the organization (which I think is implied by
the current structure, but may not be intended), they should carry an
openafs.org signature. Choosing who signs the RPMs could make these
relationships clearer.
I don't think that the GPG key conveys anything with regards to these
relationships. In fact, it may well just serve to muddy the water. What
happens if we make the decision that the builder signs the RPM (after
all, the builder is the only one who can actually vouch for the RPMs
contents - be that a person, or an automated process) The signature has
no bearing on the "official", or not, nature of the package. Ultimately,
the place you get the RPMs from is probably the key signifier of their
status - especially for users for whom GPG keys and webs of trust are a
black art.
IMO, by signing an RPM, a person or organization is vouching for the
contents of the RPM. If all you want is to be able to verify that an
RPM hasn't become corrupt is transit, then a "Machine X" key is
appropriate. Just don't make people download too many of them.
And, yes, lots of folks may overestimate what you're getting by
verifying the signature of an RPM key. (Maybe you think I'm one of them
(smile) That's OK too).
Dave
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
