Mailinglist Archive: opensuse-buildservice (266 mails)

< Previous Next >
Re: [opensuse-buildservice] obs-service-gpg-offline
Adrian Schröter wrote:
Am Montag, 7. Januar 2013, 17:22:06 schrieb Stanislav Brabec:
I wrote a simple service, which can automatically check PGP signatures
of files using gpg-offline .keyring file:
https://build.opensuse.org/package/show?package=obs-service-gpg-offline&project=home%3Asbrabec

It could be an alternative to %prep checks during the build process
using %gpg-offline macro.

This is a simple version and does not take any arguments. It checks
online for updates, but it does not fail if the signature is not found
in the public servers. Only failure of checks against embedded keyring
will fail. It would need further discussion, what to return if:

- Key server did not respond.
- The key is not found upstream.
- The key was revoked.

Hm, what does a key on a gpg server tell us anyway for the trust of it?
Everybody can upload it and this person does not have necessarly a connection
to the upstream project.

I am aware of it. That is why the obs-service-gpg-offline ony validates
signatures where package sources contain trusted .keyring file.
Signatures are validated only against these keys, no other keys are
accepted. Additionally, the service validates, that the contents of the
armored human unreadable section corresponds to the human readable
header of the specially formatted .keyring file.

Online access can be only used for revocation and expiration
prolongation. But I am not sure what to do in such situation. Released
package cannot start to fail just because the signing key was revoked.
Now it just displays problems, but it returns 0 (OK).

IMHO we should collect validated gpg keys, where we know they are from
upstream
and put them either into some generic collection (for large projects like
kernel, KDE,
apache ...)

Well, "we personally know the developer" is the ideal situation. But "we
don't know the developer, but releases are signed by this key for 10
years" is not bad as well.

Well, my first version of the tool used generic collection of keys, but
Ludwig Nussel was against it:
http://lists.opensuse.org/opensuse-packaging/2012-09/msg00055.html
That is why the actual version uses per-package keyrings.

We should also support to put the gpg key beside the sources. In this way we
see
if the key changes on a version update.

Yes, I already already did it for ~50 packages in Factory, where
packagers already added signatures. These packages now contain "trusted
keyring" with key used by upstream to sign the last release.

I even found one bad signature. Hopefully it was not an attack - the
submission was made directly by the developer and he already fixed the
bad signature.

Doesn't it also make sense to extend the verify_source service for this task
instead
of adding another one?

Yes, it is possible. This is just my first attempt. The packages in
Factory now use validation in %prep phase, which is not an optimal
solution.

But to close with something positive, thanks a lot for spending some work
here.
IMHO the lacking validation of our sources is one of biggest problem trust
wise :)

You are welcome.

--
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o. e-mail: sbrabec@xxxxxxx
Lihovarská 1060/12 tel: +49 911 7405384547
190 00 Praha 9 fax: +420 284 028 951
Czech Republic http://www.suse.cz/

--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >