Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff

[James Blackwell]

On Fri, Dec 26, 2003 at 11:55:27AM -0800, Tom Lord wrote:
> 
> 
>     > From: James Blackwell <address@hidden>
> 
>     >> Thanks, nice script. However, it has a small problem -- if a
>     >> checksum file exists but is unsigned, it tells you that it has
>     >> a bad signature.
> 
>     > I don't see that as a bug. Checksum files are worthless if
>     > they're not signed. After all, if the patches have been modified
>     > by a nefarious person, then the checksum file could be modified
>     > to match.
> 
>     > Thats rather the whole point of gpg signing.
> 
> Checksum files are _not_ useless without signing.  They have at least two
> uses:

Are you within context? This is within the context of gpgcheck.
gpgcheck is a script to use gpg signatures within an archive to verify the 
integrity of said archive.

If a person has infiltrated a machine and has started inserting
compromises into patches, they also have the ability to modify those
checksum files. All they need to do update the checksum of the new patch.


> 1) They can be used to detect media failures.
>

othoganal to gpgcheck. That gpgcheck picks up failed md5sums is a free
side effect of looking for local archive tampering. 

There's no reason we can't have a more generalized verify-integrity script
that checks md5s, revision locks, meta-info, even signatures. gpg isn't
intended to do that, though some of these naturally "come free" with
checking gpg signatures.

> 2) They provide an alternative to signing.  If, for exmaple, checksums
>    are broadcast from trusted hosts (where they are first computed)
>    on various channels to all mirrors of the archives on that host,
>    then there's a public record of what that archive is supposed to
>    contain which everyone can see and use for integrity checking.
>
>    If the separate broadcast of the checksums is itself signed, then
>    the same level of security is achieved without signing the checksum
>    files in the archive itself.

This is certainly worthy of discussion and strikes me as useful. However,
that is a different itch than the one I scratched with gpgcheck. gpgcheck
is intended as a 'we promised the FSF the ability to gpg signed archives
by New Years, and we need somebody to hack something together so that they
can verify those signed archives'. 

> At any rate, it should only be an error if the archive is a signed
> archive.  Otherwise it should be at most a single warning that the
> archive is unsigned.

I must be misunderstanding you here. You want me to give the option to
disable signature verification in a script which has the sole purpose of
verifying signed archives?

-- 
James Blackwell        Using I.T. to bring more                570-407-0488
Owner, Inframix        business to your business        http://inframix.com

   GnuPG (ID 06357400) AAE4 8C76 58DA 5902 761D  247A 8A55 DA73 0635 7400