From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/20110131/002388.html | 175 ++++++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) create mode 100644 zarb-ml/mageia-dev/20110131/002388.html (limited to 'zarb-ml/mageia-dev/20110131/002388.html') diff --git a/zarb-ml/mageia-dev/20110131/002388.html b/zarb-ml/mageia-dev/20110131/002388.html new file mode 100644 index 000000000..45c8e9f3b --- /dev/null +++ b/zarb-ml/mageia-dev/20110131/002388.html @@ -0,0 +1,175 @@ + + + + [Mageia-dev] PGP keys and package signing + + + + + + + + + +

[Mageia-dev] PGP keys and package signing

+ Michael Scherer + misc at zarb.org +
+ Mon Jan 31 15:57:14 CET 2011 +

+
+ +
Le lundi 31 janvier 2011 à 04:16 +0100, nicolas vigier a écrit :
+> Hello,
+> 
+> Now that we have a working build system, we need to setup the last part,
+> which is package signing. And for this we need a GPG key. So it's time
+> to decide on some policy about PGP keys.
+>
+
+>  - keys stored on the build system were not secure (all contributors and
+>    apprentice had shell access on the build system and could easily become
+>    root using iurt or other techniques, and then access the secret keys).
+
+Mhh, the keys are stored on raoh, and no one except few selected people
+had access ( granted, there was some flaws since I know someone who
+managed to get access one day despite not being authorized ).
+
+
+> So I propose that we use two keys :
+>  - We sign all packages from all repositories using only one key. This
+>    key is stored on the buildsystem. We can call it packages at mageia.org.
+>  - We have an other key, that we call board at mageia.org. This key is
+>    not used on any online server, and is supposed to never be changed,
+>    and should not be compromised. Only a few people have a copy of this
+>    key (some people from board ?), kept on a usb key hidden somewhere, but
+>    not on their laptop or any computer with internet connection. This key
+>    is used to sign the key packages at mageia.org (and revoke it if needed),
+>    and other official keys of the project, but never used for anything
+>    else (not for receiving encrypted messages). And the signature is
+>    sent on public keyservers.
+
+If we want to sign the key, we will have a network connection, no ?
+
+
+>  - We add the board at mageia.org public key inside the urpmi package. 
+>    We change urpmi so that it refuses to use any key which has not been
+>    signed by board at mageia.org. And urpmi should frequently update the
+>    keys it is using from public keyservers to check that its signature
+>    from board@ has not been revoked (or that the key self signature has
+>    not been revoked).
+
+>  - In case we think the packages@ key may have been compromised, or is
+>    too old, or we want to change it for any other reason, we revoke the
+>    key, and/or revoke the signature from board@ so that it is no
+>    longer accepted by urpmi. We create a new key, we sign it with
+>    the board@ key and we can start to use this new key.
+
+Since computer get faster days and days ( until the days you buy them ),
+and there is new cryptographic techniques found each year. So it seems
+to me quite sane to change the keys every 2/3 years. More often mean
+that we will forget how we did, and too often could be bad ( even if
+IMHO, one key per release would be nice but maybe overkill ). 
+
+This way, we can check the procedure is working, we will have a robust
+key, following up to date requirements of security. And we can fix
+problem if any without having the pressure of "the key got compromised".
+
+
+
+> In this thread :
+> https://www.mageia.org/pipermail/mageia-dev/20110128/002363.html
+> misc proposed that we publish tarballs of our software on the mirrors,
+> and sign them using a pgp key. So we need a key for that. We also want
+> to sign ISOs, maybe with a different key. So I think we can do the same
+> as for packages key, we create new keys for software releases and for
+> ISOs, and we sign those keys with the board@ key. And we can tell
+> everybody that all files released by the project are always signed by
+> a key that was signed by the board@ key.
+
+Yup. I would also go on making sure the key is signed ( web of trust,
+etc ).
+
+> If we decide to do this, someone from board could generate the key next
+> week at fosdem after the election, save it on usb key for other board
+> members, and give the fingerprint to everybody to sign the key.
+
+I would rather make sure that the key cannot be used by only one board
+member. Not that I do not trust people for that ( they are the board
+after all ), but it would be safer to have it distributed and resilient
+if someone steal the key ( like a burglar, etc ). 
+
+Maybe have it password protected should be sufficient ( except if people
+forget that password, or stick it to the key ). 
+
+Pascal proposed to use https://store.ironkey.com/personal , on the
+thread
+https://www.mageia.org/pipermail/mageia-sysadm/2011-January/002155.html
+
+Another last solution to prevent theft would to use shamir secret
+sharing ( as also said in the other thread, but maybe I am too insistant
+on this wonderful cryptographic invention ). This way, people would have
+to steal several part of the file to get something usable.
+( for Harry Potter fan, think of horcruxes )
+
+
+And also, I think we should routinely make sure the key is readable
+( ie, that people know where it is, and the support is still good ), so
+we do not discover one day that half the key keeper lost the key while
+moving, thinking someone else had it, and the other half stored it near
+magnet, rendering it unreadable.
+
+And make sure the key is not sent as cleartext on the web too.
+
+-- 
+Michael Scherer
+
+
+ + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1