[RFC] gpg signed packages [Was: unofficial packages]

Lapo Luchini lapo@lapo.it
Wed Sep 25 06:18:00 GMT 2002 

>
>
>Lets start with setup.exe: Should we embed a key in it? 
>A: No. 
>We should not embed a key in it, because that forces all packages to be
>signed by one and only one matching key.
>
Or by any key that is directly (or indirectly) signed by that key...

>So, you say 'well, how do we get a list of keys that *can* sign
>packages?
>A: We provide a keyring in a package - and that keyring is signed. So
>you *know* that if someone is on that keyring, then (lets say Chris)
>trusts them as a package maintainer. Of course individual keys should be
>signed where possible :}.
>
Signing the keyring itself is good for a human, but it's difficult to 
"automate" the trust thing... if the keys IN the package had been signed 
by the "central key" (called maybe "Cygwin matainers signing key") then 
GPG could automatically check that these are "valid" keys.

>>But how much trust is "enough"?
>>    
>>
>Yes, this is the big one.
>
Knowing each person would be best of course, but I agree completely with 
you that "that's the person that created the last 10 packages, and all 
were good" may well be enough, at least for "some time" (with some "as 
short as possible" but maybe countedr in YEARS ^_^).

>I'm not against building a web of trust of cygwin developers, but I do
>think that it is a separate issue to getting signed packages in a sane
>fashion.
>
Yes.
That would open also "automatic upload of updates", which could be good, 
freeing Corinna and others from the tedious work.

>1) Every maintainer generates for themselves a gpg key.
>2) We list a set of tuples in a 'trusted' database somewhere:
>maintainer-pubkey-package
>3) A gpg signed version of this database is available for setup.exe to
>download, and referenced from (or perhaps is in) setup.ini.
>4) Setup validates that package signers are 
>  a) on the list
>  b) signing their own package.
>  Exceptions to a) result in LOUD warnings.
>  Exceptions to b) result in minor warnings.
>
Tat's OK but I would (slightly) change that to:
1) every mantainer has its own openpgp key
2) cygwin has a "implicitly trusted" key, whose private key is used by 
CGF, Corinna, or any "central cygwin trusted member"
3) the mantainer keys are signed by the key in 2, which should have a 
name which specifies that it's a sort of meta-key that gives no *BIG* 
trust in key, but WoT after all is this way: each one assigns "how much 
trust it needs" in signatures, and everyone else decides then to trust 
him or not.
4) setup validates package signers which used a key that is both in that 
keyring and is signed by the central key (or maybe indirectly signed, 
that's an option to consider but I don't thing it is needed)
a) and b) being the same

What do you think about it?

IMHO the "signed keyring" has the same "effect" but in fact once 
installed it has no "connection" with the central key any more, that way 
instead we could also put the key on keyservers (properly signed by CGF 
or Corinna etc. etc.).

>setup.exe has no encryption key bound to it. 
>
IMHO, once created, setup.exe should contain at least the fingerprint of 
the "central key" (that would otherways only be "one of the keys in the 
keyring") and, also important, some way to check its own MD5 at running 
time (though right now I have no simple idea how a program can contain 
its own MD5 unless he knows where it is stored and assumes that zeroes 
should be there for MD5 calculation).
This would be good for virus and simple unintended modifies.
Or better a detached signature by the central key, also easier to 
generate or check.

Lapo

BTW: OK, we're going on the paranoid side, but it's fun =)

BTW2: this doesn't specify "who must be trusted", right now the policy 
is "any e-mail that has created one 'good' package in the past" then it 
would be no problem in signing (with the central key) any suich a 
person, but of course any "added trust" in that person (e.g. its key is 
signed by a Debian mantainer, by Robert Collins, by Phil Zimmerman or 
anyone else =P) would be no bad, but not "required".

-- 
Lapo 'Raist' Luchini
lapo@lapo.it (PGP & X.509 keys available)
http://www.lapo.it (ICQ UIN: 529796)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3267 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20020925/45feed92/attachment.bin>

More information about the Cygwin-apps mailing list