[Gnu-arch-users] signed archives and key management

[Colin Walters]

The current digital signature code is what I would describe as
"adequate".  The biggest problem is that it pushes all the key
management issues onto the user, without any help.  Secondarily, it'd be
nice if the vast majority of our users who use gpg didn't have to write
shell scripts just to invoke it.

Let's examine the first issue.  Currently, tla's HOWTO.crypto suggests
an example signature checking rule equivalent to:

#!/bin/sh
gpg --verify 

This rule uses the user's default GPG keyring.  If you're at all like
me, you have hundreds if not thousands of keys in your keyring that
you've downloaded to check email signatures and key signatures.

Now suppose that you use the above script as your =default.check.  What
that means it that *any* of those users in your keyring can sign a
change for *any* archive.

This is extremely dangerous.  For example, suppose that you use mirrors
of various archives at http://mirrors.sourcecontrol.net.  Suppose
further that you install James Blackwell's key into your keyring at some
point, perhaps to look at some of his code.

At this point, James can completely compromise any or all of those
mirrors at will.  The only thing you would notice is that as you're
downloading revisions, it would show that they were signed by him, not
by the original author.  If you're using a script which makes GPG
quieter (and it's hard not to :)), then you wouldn't even see that.

This isn't to pick on James - I don't think he'd do such a thing.  You
could instead imagine the mirrors.sourcecontrol.net machine being
cracked.  It's a good example of how easy it is for security to be
compromised, even though we're using signatures.

So what's the solution?  You could separate out the keys for the
developers associated with a particular project.  For example, 
you could separate out Tom Lord's key into a keyring of its own:

address@hidden> gpg --export -a lord > /tmp/lord.asc
address@hidden> gpg --no-default-keyring --keyring ~/keyrings/tla.gpg --import 
< /tmp/lord.asc

Then, you change your ~/.arch-params/signing/address@hidden
to:

#!/bin/sh
gpg --no-default-keyring --keyring ~/keyrings/tla.gpg --verify

This should work, but it's fairly painful.  Security needs to be as
user-friendly as possible, or otherwise people won't use it, or won't
use it correctly.

What I suggest is an extension to register-archive which takes a third
parameter; the URL for a GPG keyring.  This keyring would be stored in
something like ~/.arch-params/signing/keyrings/ARCHIVE.

The first time an archive is connected to, if
~/.arch-params/signing/keyrings/ARCHIVE doesn't exist, then the keyring
from the site is downloaded.  

Once we've downloaded the keyring, then for every future operation on
that archive, we check whether it's been modified since then (doable for
HTTP and perhaps sftp), and if so then we download the newer copy into a
temporary location, show the user its contents, and prompt them to
verify.

This will make life a little more painful for people who aren't
mirroring an archive locally.  But if you do mirror an archive locally,
it should be quite usable.

The advantage of this whole scheme is that it greatly increases
security.  The disadvantage is that AFAIK the keyring format is
GPG-specific.  An alternative here would be to have the user provide a
URL to a directory of ASCII-armored keys.


So that's it for the first problem.  Now, for the second problem - I'd
really like to more tightly integrate GPG into tla, so users don't have
to write so many redundant shell scripts.  Not to mention that the
current method where ~/.arch-params/signing/ARCHIVE may be either a
shell script OR an archive name is fairly gross.

We do need to preserve the existing infrastruture though for people who
don't or can't use GPG, even though I think they're going to be a
vanishingly small percentage of the userbase.

First, assuming my above proposal is integrated, what I'd like to do is
have tla understand how to invoke GPG to verify revisions against the
keyring associated with that archive, without the user having to write
any shell scripts or anything.  It should Just Work.

Secondarily, I'd like tla to *also* by default invoke /usr/bin/gpg
--default-key $(tla my-id) for signing.  

That should cover most users.

Thoughts, opinions, flames?

signature.asc
Description: This is a digitally signed message part