This is the mail archive of the cygwin-apps@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [RFC] gpg signed packages [Was: unofficial packages]




Lets start with setup.exe: Should we embed a key in it? A: No. We should not embed a key in it, because that forces all packages to be
signed by one and only one matching key.

Or by any key that is directly (or indirectly) signed by that key...

So, you say 'well, how do we get a list of keys that *can* sign
packages?
A: We provide a keyring in a package - and that keyring is signed. So
you *know* that if someone is on that keyring, then (lets say Chris)
trusts them as a package maintainer. Of course individual keys should be
signed where possible :}.

Signing the keyring itself is good for a human, but it's difficult to "automate" the trust thing... if the keys IN the package had been signed by the "central key" (called maybe "Cygwin matainers signing key") then GPG could automatically check that these are "valid" keys.

But how much trust is "enough"?

Yes, this is the big one.

Knowing each person would be best of course, but I agree completely with you that "that's the person that created the last 10 packages, and all were good" may well be enough, at least for "some time" (with some "as short as possible" but maybe countedr in YEARS ^_^).

I'm not against building a web of trust of cygwin developers, but I do
think that it is a separate issue to getting signed packages in a sane
fashion.

Yes.
That would open also "automatic upload of updates", which could be good, freeing Corinna and others from the tedious work.

1) Every maintainer generates for themselves a gpg key.
2) We list a set of tuples in a 'trusted' database somewhere:
maintainer-pubkey-package
3) A gpg signed version of this database is available for setup.exe to
download, and referenced from (or perhaps is in) setup.ini.
4) Setup validates that package signers are a) on the list
b) signing their own package.
Exceptions to a) result in LOUD warnings.
Exceptions to b) result in minor warnings.

Tat's OK but I would (slightly) change that to:
1) every mantainer has its own openpgp key
2) cygwin has a "implicitly trusted" key, whose private key is used by CGF, Corinna, or any "central cygwin trusted member"
3) the mantainer keys are signed by the key in 2, which should have a name which specifies that it's a sort of meta-key that gives no *BIG* trust in key, but WoT after all is this way: each one assigns "how much trust it needs" in signatures, and everyone else decides then to trust him or not.
4) setup validates package signers which used a key that is both in that keyring and is signed by the central key (or maybe indirectly signed, that's an option to consider but I don't thing it is needed)
a) and b) being the same

What do you think about it?

IMHO the "signed keyring" has the same "effect" but in fact once installed it has no "connection" with the central key any more, that way instead we could also put the key on keyservers (properly signed by CGF or Corinna etc. etc.).

setup.exe has no encryption key bound to it.
IMHO, once created, setup.exe should contain at least the fingerprint of the "central key" (that would otherways only be "one of the keys in the keyring") and, also important, some way to check its own MD5 at running time (though right now I have no simple idea how a program can contain its own MD5 unless he knows where it is stored and assumes that zeroes should be there for MD5 calculation).
This would be good for virus and simple unintended modifies.
Or better a detached signature by the central key, also easier to generate or check.

Lapo

BTW: OK, we're going on the paranoid side, but it's fun =)

BTW2: this doesn't specify "who must be trusted", right now the policy is "any e-mail that has created one 'good' package in the past" then it would be no problem in signing (with the central key) any suich a person, but of course any "added trust" in that person (e.g. its key is signed by a Debian mantainer, by Robert Collins, by Phil Zimmerman or anyone else =P) would be no bad, but not "required".

--
Lapo 'Raist' Luchini
lapo@lapo.it (PGP & X.509 keys available)
http://www.lapo.it (ICQ UIN: 529796)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]