[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: gpg signatures for release tarballs?
- From: "Anonymous" <hyperowl@...>
- Date: Sat, 29 Jan 2022 10:10:30 -0000
1. Certificates are issued by CAs, which
- are vulnerable to government coercion,
- have a track record of various shenanigans,
- are a target of interest for hackers.
2. Certificates change. I can sure pin but what happens when the cert is
updated?
How do I know the new cert's creation was authorized by the site owners?
Also lots of technical folks know how to verify a signature. How many know
how to pin?
3. If the site gets compromized there's a good chance the hackers won't
also have access to the private key
and won't be able to produce a valid signature.
FWIW, I'm working on a small Linux distro, there's already a couple dozen
software items in the repo, all of them signed.
You can check what other projects sign their tarballs and why. Check the
Tor project for instance,
they sure know a thing or two about security. Same for OpenBSD. Or the
Linux kernel for that matter.
On Sat, January 29, 2022 04:53, Adam Higerd wrote:
> On Fri, Jan 28, 2022 at 10:06 PM Anonymous <hyperowl@danwin1210.de>
> wrote:
>
>
>> If I get the key from the site, the window of vulnerability is small: I
>> only need to get it once. For any new key there will (hopefully) be an
>> announcement, signed with the old key, containing the new key's
>> fingerprint. Also, I can get a key from a keyserver or any other place.
>> It's not about
>> the key, it's about its fingerprint which you can publish in multiple
>> places: on the site, on social media,
>> mention it in a conference talk, etc.
>>
>
> If you can get the key from the site, you can also get the public
> certificate from the site and verify it in the future. The threat model is
> effectively identical to HTTPS.
>
> /s/ Adam
