[Mageia-dev] PGP keys and package signing

nicolas vigier boklm at mars-attacks.org
Mon Jan 31 17:51:11 CET 2011


On Mon, 31 Jan 2011, Michael Scherer wrote:

> > So I propose that we use two keys :
> >  - We sign all packages from all repositories using only one key. This
> >    key is stored on the buildsystem. We can call it packages at mageia.org.
> >  - We have an other key, that we call board at mageia.org. This key is
> >    not used on any online server, and is supposed to never be changed,
> >    and should not be compromised. Only a few people have a copy of this
> >    key (some people from board ?), kept on a usb key hidden somewhere, but
> >    not on their laptop or any computer with internet connection. This key
> >    is used to sign the key packages at mageia.org (and revoke it if needed),
> >    and other official keys of the project, but never used for anything
> >    else (not for receiving encrypted messages). And the signature is
> >    sent on public keyservers.
> 
> If we want to sign the key, we will have a network connection, no ?

We can sign it, and copy the signed key on an other computer to upload
it. Doing something like this :
 - We have Computer A with internet connection.
 - We have Computer B without internet connection, running on a livecd
   with tmpfs
 - On computer A: we download the packages@ public key, and the public
   key of all board members (if needed), and save this on a USB key
 - On computer B: we use the USB key to import all public keys in keyring
 - On computer B: We generate the board@ key
 - On computer B: We sign the packages@ key using board@ key
 - On computer B: We save the signed packages@ key, and public board@
   key on the USB key
 - On computer A: We use the USB key to upload the signed packages@ key,
   and board@ key on keyservers
 - On computer B: We encrypt the board@ private key using public key of
   board members or shamir secret sharing, and copy the encrypted files on
   USB keys to give them to board members
 - We destroy computer B (or alternatively we simply turn it off to
   remove tmpfs)

> > If we decide to do this, someone from board could generate the key next
> > week at fosdem after the election, save it on usb key for other board
> > members, and give the fingerprint to everybody to sign the key.
> 
> I would rather make sure that the key cannot be used by only one board
> member. Not that I do not trust people for that ( they are the board
> after all ), but it would be safer to have it distributed and resilient
> if someone steal the key ( like a burglar, etc ). 
> 
> Maybe have it password protected should be sufficient ( except if people
> forget that password, or stick it to the key ). 
> 
> Pascal proposed to use https://store.ironkey.com/personal , on the
> thread
> https://www.mageia.org/pipermail/mageia-sysadm/2011-January/002155.html
> 
> Another last solution to prevent theft would to use shamir secret
> sharing ( as also said in the other thread, but maybe I am too insistant
> on this wonderful cryptographic invention ). This way, people would have
> to steal several part of the file to get something usable.
> ( for Harry Potter fan, think of horcruxes )

Oops, I should have mentioned this thread in the 1st mail (but didn't
find it yesterday).

> And also, I think we should routinely make sure the key is readable
> ( ie, that people know where it is, and the support is still good ), so
> we do not discover one day that half the key keeper lost the key while
> moving, thinking someone else had it, and the other half stored it near
> magnet, rendering it unreadable.

Maybe we could test it every year at fosdem ?



More information about the Mageia-dev mailing list