[arch-haskell] Package Signing

Magnus Therning magnus at therning.org
Sat Oct 12 07:40:22 UTC 2013


On Mon, Jul 30, 2012 at 8:35 AM, Xyne <xyne at archlinux.ca> wrote:
> On 2012-07-29 18:48 +0200
> Magnus Therning wrote:
>
>>Correct me if I'm wrong in this assumption, but I need to have the
>>following three items available when running the script:
>>
>>1. The newly-built package.
>>2. The repo database (x.db.tar.gz) I'm adding the package to.
>>3. The secret key.
>
> 1 & 3, yes.
>
> If you have all of the packages then the full database will be recreated so you
> don't actually need 2, but if it's present then it will be updated with the
> selected packages.
>
>
>>This is a slight problem for me.  I build on kiwilight (where I'm not
>>alone in having root access), the database is on xsounds.org (where I
>>don't have root access at all), and to be fully comfortable I'd like
>>to keep the secret key and perform the signing on my own machine :-)
>>
>>Is there some way to simply extract the actual data that is to be
>>signed (the hashes), and perform the actual signing manually?
>
> I'm not sure, but I think gpg needs the full file to generate the signature.
> There might be some way to dig the hashing algorithm out of the source code and
> then create your own remote signing function with it, but that would require
> knowledge of gpg internals.

Yes, there seems to be no way to split the two steps of
creating-digest and encrypting-digest-with-secret-key (these two
together make up the signing action).  It's very unfortunate that the
design of signing in pacman is designed to use gpg directly on the
package.

> One solution might be to build the packages on kiwilight, then mount the
> directory of built packages with sshfs.  You could then run the signing script
> locally. I don't know much bandwith that will use, but I think it's worth
> trying. In the worst case scenario, it will be equivalent to downloading the
> packages. Whether or not that's a problem depends on your connection.

I don't see how that could be anything else but the worst case, GnuPG
on the machine needs to consume the entire package in order to create
the digest, hence all built packages must be downloaded :-(

> If I understand the problem correctly, you do not generate the database
> yourself. That should not be a problem for package signatures, as repo-add will
> include them in the database as long as the signature files are present when it
> adds the packages. If you can't remote-mount xsounds with sshfs and sign the
> database there, just download it and sign it locally then upload the database
> signature file.

I am generating the DB myself, I just do it on another machine than
where I perform the builds.

> If that is not possible for whatever reason, just having package signatures is
> better than nothing. However, given what you've said about not being the only
> one to have access to these repos, I think package signing in this case is very
> important.

I agree, but it's important that the signing actually adds security,
which is why I'd like to keep the secret key on my own machine.
Performing the signing (and keeping the secret key) on either
kiwilight or xsounds might only create a false sense of security,
which arguably is worse than *no* sense of security ;-)

> I would also like to know who does have access to these files. On kiwilight
> I believe that it is only Kaiting, who is a TU. Who has access on xsounds?

Not sure.

> Could you simply make kiwilight the main host and have xsounds mirror it? The
> process would then be the following:
> 1) ssh into kiwilight, build, and move to haskell/$arch if necessary
> 2) mount haskell/$arch via ssh and run the signing script locally
>
> You would then have a fully signed repo in haskell/$arch that can be mirrored
> by xsounds.

Of course I could.  It could be argued that since the building happens
on kiwilight we all are forced to trust all (root) users of that
system anyway.  Adding a signature (which is created on kiwilight)
won't decrease the trustworthiness of the packages, but a signature
would mean that the trustworthiness is kept as the packages are copied
over to xsounds.

I find security to be very tricky, so any comments and corrections to
my thinking is more than welcome.

/M

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4
email: magnus at therning.org   jabber: magnus at therning.org
twitter: magthe               http://therning.org/magnus




More information about the arch-haskell mailing list