[Mageia-dev] PGP keys and package signing

nicolas vigier boklm at mars-attacks.org
Mon Jan 31 04:16:43 CET 2011 

Hello,

Now that we have a working build system, we need to setup the last part,
which is package signing. And for this we need a GPG key. So it's time
to decide on some policy about PGP keys.

We can look at how it was done at Mandriva. If I remember correctly :
 - cooker packages were signed with a key stored on the build system
 - stable release packages were signed at release time with an other
   key, not stored on the build system, but stored on the server used
   to prepare the release and generate the ISOs
 - updates for main repository were managed by secteam, and signed by
   secteam key. The secteam didn't use the build system but their own
   servers, so the key was stored on their servers
 - updates for contrib repository were signed using a key stored on the
   build system
 - backports for main and contrib repository were signed using a key
   stored on the build system

However there are a few problems with this :
 - too many different keys, with different names, it's difficult to see
   which ones are really official. 
 - keys stored on the build system were not secure (all contributors and
   apprentice had shell access on the build system and could easily become
   root using iurt or other techniques, and then access the secret keys).
   We won't provide shell access on the same servers as the build system
   so it should be more secure, however it is always possible that a
   server be compromised, with all the pgp keys on it, so we should plan
   for it, and be able to revoke keys if it happens
 - using a different key for developement version, and released version
   means we need to resign all packages for the release, taking a lot
   of time, cpu, and bandwidth to copy the packages between different
   servers
 - updates will be done using the same build system, so there is no use
   to have two different keys for release and updates packages
 - signed packages are supposed to prevent someone from modifying
   packages on the mirrors. However the public key used to verify the
   packages is downloaded from the mirror, and could be modified too.
   So it would be very easy to create a fake mirror with modified
   packages. We should fix that by allowing only trusted keys to be used.


So I propose that we use two keys :
 - We sign all packages from all repositories using only one key. This
   key is stored on the buildsystem. We can call it packages at mageia.org.
 - We have an other key, that we call board at mageia.org. This key is
   not used on any online server, and is supposed to never be changed,
   and should not be compromised. Only a few people have a copy of this
   key (some people from board ?), kept on a usb key hidden somewhere, but
   not on their laptop or any computer with internet connection. This key
   is used to sign the key packages at mageia.org (and revoke it if needed),
   and other official keys of the project, but never used for anything
   else (not for receiving encrypted messages). And the signature is
   sent on public keyservers.
 - We add the board at mageia.org public key inside the urpmi package. 
   We change urpmi so that it refuses to use any key which has not been
   signed by board at mageia.org. And urpmi should frequently update the
   keys it is using from public keyservers to check that its signature
   from board@ has not been revoked (or that the key self signature has
   not been revoked).
 - In case we think the packages@ key may have been compromised, or is
   too old, or we want to change it for any other reason, we revoke the
   key, and/or revoke the signature from board@ so that it is no
   longer accepted by urpmi. We create a new key, we sign it with
   the board@ key and we can start to use this new key.

According to this page :
http://www.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html
there is also a few things we need to improve in urpmi to make it more
secure (signed hdlists, and expiration dates on hdlists), but this is
for later.

In this thread :
https://www.mageia.org/pipermail/mageia-dev/20110128/002363.html
misc proposed that we publish tarballs of our software on the mirrors,
and sign them using a pgp key. So we need a key for that. We also want
to sign ISOs, maybe with a different key. So I think we can do the same
as for packages key, we create new keys for software releases and for
ISOs, and we sign those keys with the board@ key. And we can tell
everybody that all files released by the project are always signed by
a key that was signed by the board@ key.

If we decide to do this, someone from board could generate the key next
week at fosdem after the election, save it on usb key for other board
members, and give the fingerprint to everybody to sign the key.

Any opinions on this ? Or other ideas ? Or comments ?

Nicolas

More information about the Mageia-dev mailing list