[RFC] gpg signed packages [Was: unofficial packages]
Lapo Luchini
lapo@lapo.it
Wed Sep 25 06:18:00 GMT 2002
>
>
>Lets start with setup.exe: Should we embed a key in it?
>A: No.
>We should not embed a key in it, because that forces all packages to be
>signed by one and only one matching key.
>
Or by any key that is directly (or indirectly) signed by that key...
>So, you say 'well, how do we get a list of keys that *can* sign
>packages?
>A: We provide a keyring in a package - and that keyring is signed. So
>you *know* that if someone is on that keyring, then (lets say Chris)
>trusts them as a package maintainer. Of course individual keys should be
>signed where possible :}.
>
Signing the keyring itself is good for a human, but it's difficult to
"automate" the trust thing... if the keys IN the package had been signed
by the "central key" (called maybe "Cygwin matainers signing key") then
GPG could automatically check that these are "valid" keys.
>>But how much trust is "enough"?
>>
>>
>Yes, this is the big one.
>
Knowing each person would be best of course, but I agree completely with
you that "that's the person that created the last 10 packages, and all
were good" may well be enough, at least for "some time" (with some "as
short as possible" but maybe countedr in YEARS ^_^).
>I'm not against building a web of trust of cygwin developers, but I do
>think that it is a separate issue to getting signed packages in a sane
>fashion.
>
Yes.
That would open also "automatic upload of updates", which could be good,
freeing Corinna and others from the tedious work.
>1) Every maintainer generates for themselves a gpg key.
>2) We list a set of tuples in a 'trusted' database somewhere:
>maintainer-pubkey-package
>3) A gpg signed version of this database is available for setup.exe to
>download, and referenced from (or perhaps is in) setup.ini.
>4) Setup validates that package signers are
> a) on the list
> b) signing their own package.
> Exceptions to a) result in LOUD warnings.
> Exceptions to b) result in minor warnings.
>
Tat's OK but I would (slightly) change that to:
1) every mantainer has its own openpgp key
2) cygwin has a "implicitly trusted" key, whose private key is used by
CGF, Corinna, or any "central cygwin trusted member"
3) the mantainer keys are signed by the key in 2, which should have a
name which specifies that it's a sort of meta-key that gives no *BIG*
trust in key, but WoT after all is this way: each one assigns "how much
trust it needs" in signatures, and everyone else decides then to trust
him or not.
4) setup validates package signers which used a key that is both in that
keyring and is signed by the central key (or maybe indirectly signed,
that's an option to consider but I don't thing it is needed)
a) and b) being the same
What do you think about it?
IMHO the "signed keyring" has the same "effect" but in fact once
installed it has no "connection" with the central key any more, that way
instead we could also put the key on keyservers (properly signed by CGF
or Corinna etc. etc.).
>setup.exe has no encryption key bound to it.
>
IMHO, once created, setup.exe should contain at least the fingerprint of
the "central key" (that would otherways only be "one of the keys in the
keyring") and, also important, some way to check its own MD5 at running
time (though right now I have no simple idea how a program can contain
its own MD5 unless he knows where it is stored and assumes that zeroes
should be there for MD5 calculation).
This would be good for virus and simple unintended modifies.
Or better a detached signature by the central key, also easier to
generate or check.
Lapo
BTW: OK, we're going on the paranoid side, but it's fun =)
BTW2: this doesn't specify "who must be trusted", right now the policy
is "any e-mail that has created one 'good' package in the past" then it
would be no problem in signing (with the central key) any suich a
person, but of course any "added trust" in that person (e.g. its key is
signed by a Debian mantainer, by Robert Collins, by Phil Zimmerman or
anyone else =P) would be no bad, but not "required".
--
Lapo 'Raist' Luchini
lapo@lapo.it (PGP & X.509 keys available)
http://www.lapo.it (ICQ UIN: 529796)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3267 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20020925/45feed92/attachment.bin>
More information about the Cygwin-apps
mailing list