[OpenAFS] OpenAFS RPMs and GPG signatures

David Thompson thomas@cs.wisc.edu
Thu, 12 Jun 2008 10:46:43 -0500 

Simon Wilkinson wrote:

>> I think that regardless of whether or not you protect the signing key, 
>> you're trusting that the build host hasn't been compromised.  If it 
>> has, an adversary could do anything to your rpm _before_ it gets 
>> signed by a protected key (or 100 other ways someone who has 
>> compromised the host can defeat the signing process).
> 
> Indeed. That was my point. None of the other mechanisms for signing 
> (attended keys, organisational keys ...) actually give you any more 
> assurance about RPM integrity than a random key that resides on the disk 
> of the build machine and says "Machine X built this RPM".

I would disagree.  If I see an RPM signed with "The One True Simon 
Wilkinson Key", as opposed to "Machine X" key, I would infer that to the 
extent I know Simon (he's written some good code, and he talks pretty 
good to a room full of people), I would guess he hasn't hacked back 
doors into the openafs RPMs he's signed, and that he hasn't allowed his 
build host to be compromised, etc.  Likewise "The One True Openafs.org 
Key."  Not so "Machine X" key.  A signing key is the "Quality assurance" 
stamp of its owner.  To me, it puts the reputation of the owner on the 
line for whatever it signs.

>> I think the question here is, who is taking responsibility for the 
>> RPMs?  If these are Simon Wilkinson RPMs, then I think it's fine for 
>> them to be signed by Simon.  If openafs.org is asserting that the RPMs 
>> are somehow blessed by the organization (which I think is implied by 
>> the current structure, but may not be intended), they should carry an 
>> openafs.org signature.  Choosing who signs the RPMs could make these 
>> relationships clearer.
> 
> I don't think that the GPG key conveys anything with regards to these 
> relationships. In fact, it may well just serve to muddy the water. What 
> happens if we make the decision that the builder signs the RPM (after 
> all, the builder is the only one who can actually vouch for the RPMs 
> contents - be that a person, or an automated process) The signature has 
> no bearing on the "official", or not, nature of the package. Ultimately, 
> the place you get the RPMs from is probably the key signifier of their 
> status - especially for users for whom GPG keys and webs of trust are a 
> black art.

IMO, by signing an RPM, a person or organization is vouching for the 
contents of the RPM.  If all you want is to be able to verify that an 
RPM hasn't become corrupt is transit, then a "Machine X" key is 
appropriate.  Just don't make people download too many of them.

And, yes, lots of folks may overestimate what you're getting by 
verifying the signature of an RPM key.  (Maybe you think I'm one of them 
(smile)  That's OK too).

Dave