From kde-devel Wed May 26 08:51:29 2010 From: Joanna Rutkowska Date: Wed, 26 May 2010 08:51:29 +0000 To: kde-devel Subject: Re: digital signatures for kde sources? Message-Id: <4BFCE111.4060107 () invisiblethingslab ! com> X-MARC-Message: https://marc.info/?l=kde-devel&m=127486378923919 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============1462603294==" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============1462603294== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig040FBD3C18DB4B3D024DEA92" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig040FBD3C18DB4B3D024DEA92 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 05/26/2010 03:49 AM, Scott Kitterman wrote: >> Instead of having just one private key, it would be much better for >> every commiter/release-manager or whoever is responsible for building >> the stable tarballs, to generate their own private key and use it for >> signing. Then, there should be one "master signing key" that would be >> kept on some safe machine (perhaps used just for the purpose of >> generating and using this key) and which would be used to sign all the= >> "authorized" developers keys. This key (the public portion) would be >> published on kde.org website, and you can also send it to kde-devel >> list, to make it possible for people to obtain it from 2 different >> sources (I guess kde-devel is widely mirrored over internet, so it wou= ld >> not be feasible for the attacker to subvert this public key in all the= >> places). Perhaps only the top 2 or 3 most trusted KDE developers (I'm >> sorry I don't know the management structure of the project) should hav= e >> access to the master signing key. >> > Speaking as an Ubuntu packager, we maintain in transit assurance of > package integrity by retrieving the tarballs via sftp. If someone > can MITM my SSH session, then there's a lot better things they can > do with it than modify KDE tarballs in transit. >=20 That's certainly better than relaying on the SHA1 hash embedded on the plaintext HTML page. But still doesn't help if somebody compromised the KDE's ftp server. You might comfort yourself that this is unlikely to happen, but the reality is simply different, e.g. [1]: "In connection with the incident, the intruder was able to get a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only) signed" This is BTW also a good example why it's a bad idea to have a centralized signing server/key, and it's much better to let lead developers to sing the tarballes by themsevles as I explained above. Anyway, can someone from @kde.org address tell me the sftp's RSA fingerprint? :) joanna. [1] http://www.redhat.com/security/data/openssh-blacklist.html --------------enig040FBD3C18DB4B3D024DEA92 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkv84RYACgkQORdkotfEW84IPgCgqsXp32ZS4nR/0AJi313QkfEk H6AAoJk/wy1zdgwCEy63DvkLM5AP0aj6 =TQDY -----END PGP SIGNATURE----- --------------enig040FBD3C18DB4B3D024DEA92-- --===============1462603294== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe << --===============1462603294==--