[opensuse-packaging] [RFC] gpg-upstream-keys: Build time source GPG signature verification
Hallo. I wrote a simple tool that provides build time GPG signature verification. It could prevent need for tarball contents verification and still being safe. Submit reviewers will just review changes in the spec files and patches, and especially verifies, that GPG verification command is not removed without rationale. How it is done: gpg-upstream-keys package collects signatures valid for verification of particular packages sources: gpg-upstream-key-*.key: Contains approved signing keys. gpg-upstream-keys.packages: Defines mapping package -> signing keys There is a tool for simple key extraction and verification and macro for simple integration to spec files. Prepare new signing key before first use: gpg-upstream-keys-tool --verbose [--package=PACKAGE] --prepare ID It will tell you how to edit gpg-upstream-keys.packages and gpg-upstream-keys.spec. Usage in packages would be straightforward: BuildRequires: gpg-upstream-keys %prep %gpg_verify %{S:1} %setup -q Note: %{S:1} is the signature, not the tarball. Here is a proof of concept and two upstream-signed packages: https://build.opensuse.org/project/show?project=home%3Asbrabec%3Abranches%3A... Simple man page is added. Comments are welcome. Proposed policy: Package updates will be straightforward, as long as the same signing key is used. Reviewers should make special attention to submit that contain "-%gpg_verify" in the changes log. Any addition to gpg-upstream-keys should be carefully verified. Any change in gpg-upstream-keys would need to be double-verified. Problems: How to solve key expiration? Probably accept expired keys to prevent unexpected future failures. How to solve key expiration extension? Probably provide a way to re-import keys by trusted user. How to solve key revocation? Probably extend the tool to not accept revoked keys. But later it is a complicated task. Not only that the keys package would need update, but also all packages that contain revoked signatures would need update, otherwise the build fails. On the other hand, keeping the key in the ring is a security risk: The previous version signature before revocation time may be OK, but next version may be malicious. (And GPG does not implement trusted time stamps.) I did not found a way, how to prevent following warning: gpg: WARNING: Using untrusted key! (I do not want to use web of trust, but instead of it fully trust all keys in the locally stored read-only keyring.) -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbrabec@suse.cz Lihovarská 1060/12 tel: +49 911 7405384547 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Stanislav Brabec wrote:
I wrote a simple tool that provides build time GPG signature verification. It could prevent need for tarball contents verification and still being safe. Submit reviewers will just review changes in the spec files and patches, and especially verifies, that GPG verification command is not removed without rationale. [...]
IIUC there's a central "database" of known keys in a package. That makes it harder to introduce new packages or use the same mechanism for 3rd party packages I think. So it might be better to store the known keys also in the packages itself. Reviewers just have to make sure that the known keys are not changed.
Usage in packages would be straightforward:
BuildRequires: gpg-upstream-keys
%prep %gpg_verify %{S:1} %setup -q
I wonder whether this could be integrated in rpm directly. Something like Keys: keys.asc Source0: http://www.foo.bar/%name-%version.tar.bz2 Signature0: http://www.foo.bar/%name-%version.tar.bz2.asc Then rpm (or the download_url servie) could check the signatures automatically. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Thu, Sep 06, 2012 at 11:24:38AM +0200, Ludwig Nussel wrote:
I wonder whether this could be integrated in rpm directly. Something like
Keys: keys.asc Source0: http://www.foo.bar/%name-%version.tar.bz2 Signature0: http://www.foo.bar/%name-%version.tar.bz2.asc
Then rpm (or the download_url servie) could check the signatures automatically.
Signatures in the spec files (be it gpg signatures ore checksums) were discussed on the rpm list some years ago, but nothing happened. Maybe it's time to start that discussion again. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Thu, Sep 06, 2012 at 11:28:17AM +0200, Michael Schroeder wrote:
On Thu, Sep 06, 2012 at 11:24:38AM +0200, Ludwig Nussel wrote:
I wonder whether this could be integrated in rpm directly. Something like
Keys: keys.asc Source0: http://www.foo.bar/%name-%version.tar.bz2 Signature0: http://www.foo.bar/%name-%version.tar.bz2.asc
Then rpm (or the download_url servie) could check the signatures automatically.
Signatures in the spec files (be it gpg signatures ore checksums) were discussed on the rpm list some years ago, but nothing happened. Maybe it's time to start that discussion again.
Hallo, thanks for the feedback. I thing Ludwig's idea is more flexible, than ours. And having it in upstream is awesome - on the other hand we should not wait on upstream and accept our own macro-based approach before this will be done in upstream. The change to upstream approach will be trivial then. Ludwig want to meet at openSUSE conference to discuss it. I asked Michal Hrusecky and there are free Ad-Hoc rooms on Monday and Tuesday. Unfortunatelly the schedule is still not public, so we need to wait till it will be public to find a reasonable time for everyone. Regards Michal Vyskocil
Michal Vyskocil píše v Pá 07. 09. 2012 v 09:06 +0200:
On Thu, Sep 06, 2012 at 11:28:17AM +0200, Michael Schroeder wrote:
On Thu, Sep 06, 2012 at 11:24:38AM +0200, Ludwig Nussel wrote:
I wonder whether this could be integrated in rpm directly. Something like
Keys: keys.asc Source0: http://www.foo.bar/%name-%version.tar.bz2 Signature0: http://www.foo.bar/%name-%version.tar.bz2.asc
Then rpm (or the download_url servie) could check the signatures automatically.
Signatures in the spec files (be it gpg signatures ore checksums) were discussed on the rpm list some years ago, but nothing happened. Maybe it's time to start that discussion again.
thanks for the feedback. I thing Ludwig's idea is more flexible, than ours. And having it in upstream is awesome - on the other hand we should not wait on upstream and accept our own macro-based approach before this will be done in upstream. The change to upstream approach will be trivial then.
Here is a new version, that moved keyrings from central repository to particular package sources. https://build.opensuse.org/project/packages?project=home%3Asbrabec%3Abranche... Keyring is a standard armored GPG keyring with a human readable header. New --review command allows to check, that the human readable contents corresponds to the blob. TODO: - The same as old version, plus - Check that keys in keyring correspond to keys on public key servers - Probably rename the package and/or the tool (gpg-upstream-key-tool or gpg-upstream-build-tool or gpg-packaging-tool). - Does it make sense to add "#!/usr/bin/gpg-upstream-keys-tool --review" header to keyrings (or non-executable descriptive header)? -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbrabec@suse.cz Lihovarská 1060/12 tel: +49 911 7405384547 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (4)
-
Ludwig Nussel
-
Michael Schroeder
-
Michal Vyskocil
-
Stanislav Brabec