Mailinglist Archive: opensuse-factory (373 mails)

< Previous Next >
[opensuse-factory] build time verification of GPG signatures
Hi.

As discussed in past[1], Factory now has gpg-offline package, which is a
wrapper on top of gnupg, which allows simple build time offline
verification of GPG signatures. It makes possible to verify tarballs in
the build time.

The use of gpg-offline in spec files is really simple:
https://build.opensuse.org/package/view_file?expand=1&file=gpg-offline.PACKAGING.HOWTO&package=gpg-offline&project=Base%3ASystem

The package also contains a man page.

The first time step is very security-sensitive: You define your package
keyring - a list of trusted keys, that can be used by the upstream to
sign the source of your package. Check carefully that you are not adding
a malicious keys there.

Be paranoid! The gpg_verify tool is able to detect hacked source on the
upstream servers (and such bad thing really already happened[2]!), but
it is not able to detect maliciously uploaded false signature on the key
servers.

If the upstream author is in your web of trust, you are on a safe side.
But if he/she is not in your web of trust, you have to use alternative
ways to trust the key:
- If you can mail to the author and verify the key, it is very probably
an authorized signature.
- If the signing key is the same as the one used a year ago, it is
probably an authorized signature.
- If the signing key was used in mailing list many times to sign
developer mails, or at least it was announced there, it is probably an
authorized signature.
- If you can find the public key or footprint on more servers on
different hostings, it is probably an authorized signature.



I just implemented signature verification for all packages, that already
contained signature and/or trusted keyring. But I did not verify, that
signature submitted by packagers is the signature of the real author.

Feedback, feature requests and bug reports are welcome.

[1] http://lists.opensuse.org/opensuse-packaging/2012-09/msg00029.html
[2]
http://scarybeastsecurity.blogspot.cz/2011/07/alert-vsftpd-download-backdoored.html

There is still one FIXME: If anybody knows, how to use trust model "all
keys in the local keyring are trusted" without "gpg: WARNING: Using
untrusted key!", please advise.

--
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o. e-mail: sbrabec@xxxxxxx
Lihovarsk√° 1060/12 tel: +49 911 7405384547
190 00 Praha 9 fax: +420 284 028 951
Czech Republic http://www.suse.cz/

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups