[Mageia-dev] PGP keys and package signing

Michael Scherer misc at zarb.org
Mon Jan 31 15:57:14 CET 2011 

Le lundi 31 janvier 2011 à 04:16 +0100, nicolas vigier a écrit :
> Hello,
> 
> Now that we have a working build system, we need to setup the last part,
> which is package signing. And for this we need a GPG key. So it's time
> to decide on some policy about PGP keys.
>

>  - keys stored on the build system were not secure (all contributors and
>    apprentice had shell access on the build system and could easily become
>    root using iurt or other techniques, and then access the secret keys).

Mhh, the keys are stored on raoh, and no one except few selected people
had access ( granted, there was some flaws since I know someone who
managed to get access one day despite not being authorized ).


> So I propose that we use two keys :
>  - We sign all packages from all repositories using only one key. This
>    key is stored on the buildsystem. We can call it packages at mageia.org.
>  - We have an other key, that we call board at mageia.org. This key is
>    not used on any online server, and is supposed to never be changed,
>    and should not be compromised. Only a few people have a copy of this
>    key (some people from board ?), kept on a usb key hidden somewhere, but
>    not on their laptop or any computer with internet connection. This key
>    is used to sign the key packages at mageia.org (and revoke it if needed),
>    and other official keys of the project, but never used for anything
>    else (not for receiving encrypted messages). And the signature is
>    sent on public keyservers.

If we want to sign the key, we will have a network connection, no ?


>  - We add the board at mageia.org public key inside the urpmi package. 
>    We change urpmi so that it refuses to use any key which has not been
>    signed by board at mageia.org. And urpmi should frequently update the
>    keys it is using from public keyservers to check that its signature
>    from board@ has not been revoked (or that the key self signature has
>    not been revoked).

>  - In case we think the packages@ key may have been compromised, or is
>    too old, or we want to change it for any other reason, we revoke the
>    key, and/or revoke the signature from board@ so that it is no
>    longer accepted by urpmi. We create a new key, we sign it with
>    the board@ key and we can start to use this new key.

Since computer get faster days and days ( until the days you buy them ),
and there is new cryptographic techniques found each year. So it seems
to me quite sane to change the keys every 2/3 years. More often mean
that we will forget how we did, and too often could be bad ( even if
IMHO, one key per release would be nice but maybe overkill ). 

This way, we can check the procedure is working, we will have a robust
key, following up to date requirements of security. And we can fix
problem if any without having the pressure of "the key got compromised".



> In this thread :
> https://www.mageia.org/pipermail/mageia-dev/20110128/002363.html
> misc proposed that we publish tarballs of our software on the mirrors,
> and sign them using a pgp key. So we need a key for that. We also want
> to sign ISOs, maybe with a different key. So I think we can do the same
> as for packages key, we create new keys for software releases and for
> ISOs, and we sign those keys with the board@ key. And we can tell
> everybody that all files released by the project are always signed by
> a key that was signed by the board@ key.

Yup. I would also go on making sure the key is signed ( web of trust,
etc ).

> If we decide to do this, someone from board could generate the key next
> week at fosdem after the election, save it on usb key for other board
> members, and give the fingerprint to everybody to sign the key.

I would rather make sure that the key cannot be used by only one board
member. Not that I do not trust people for that ( they are the board
after all ), but it would be safer to have it distributed and resilient
if someone steal the key ( like a burglar, etc ). 

Maybe have it password protected should be sufficient ( except if people
forget that password, or stick it to the key ). 

Pascal proposed to use https://store.ironkey.com/personal , on the
thread
https://www.mageia.org/pipermail/mageia-sysadm/2011-January/002155.html

Another last solution to prevent theft would to use shamir secret
sharing ( as also said in the other thread, but maybe I am too insistant
on this wonderful cryptographic invention ). This way, people would have
to steal several part of the file to get something usable.
( for Harry Potter fan, think of horcruxes )


And also, I think we should routinely make sure the key is readable
( ie, that people know where it is, and the support is still good ), so
we do not discover one day that half the key keeper lost the key while
moving, thinking someone else had it, and the other half stored it near
magnet, rendering it unreadable.

And make sure the key is not sent as cleartext on the web too.

-- 
Michael Scherer

More information about the Mageia-dev mailing list