[Mageia-dev] PGP keys and package signing
nicolas vigier
boklm at mars-attacks.org
Mon Jan 31 17:51:11 CET 2011
On Mon, 31 Jan 2011, Michael Scherer wrote:
> > So I propose that we use two keys :
> > - We sign all packages from all repositories using only one key. This
> > key is stored on the buildsystem. We can call it packages at mageia.org.
> > - We have an other key, that we call board at mageia.org. This key is
> > not used on any online server, and is supposed to never be changed,
> > and should not be compromised. Only a few people have a copy of this
> > key (some people from board ?), kept on a usb key hidden somewhere, but
> > not on their laptop or any computer with internet connection. This key
> > is used to sign the key packages at mageia.org (and revoke it if needed),
> > and other official keys of the project, but never used for anything
> > else (not for receiving encrypted messages). And the signature is
> > sent on public keyservers.
>
> If we want to sign the key, we will have a network connection, no ?
We can sign it, and copy the signed key on an other computer to upload
it. Doing something like this :
- We have Computer A with internet connection.
- We have Computer B without internet connection, running on a livecd
with tmpfs
- On computer A: we download the packages@ public key, and the public
key of all board members (if needed), and save this on a USB key
- On computer B: we use the USB key to import all public keys in keyring
- On computer B: We generate the board@ key
- On computer B: We sign the packages@ key using board@ key
- On computer B: We save the signed packages@ key, and public board@
key on the USB key
- On computer A: We use the USB key to upload the signed packages@ key,
and board@ key on keyservers
- On computer B: We encrypt the board@ private key using public key of
board members or shamir secret sharing, and copy the encrypted files on
USB keys to give them to board members
- We destroy computer B (or alternatively we simply turn it off to
remove tmpfs)
> > If we decide to do this, someone from board could generate the key next
> > week at fosdem after the election, save it on usb key for other board
> > members, and give the fingerprint to everybody to sign the key.
>
> I would rather make sure that the key cannot be used by only one board
> member. Not that I do not trust people for that ( they are the board
> after all ), but it would be safer to have it distributed and resilient
> if someone steal the key ( like a burglar, etc ).
>
> Maybe have it password protected should be sufficient ( except if people
> forget that password, or stick it to the key ).
>
> Pascal proposed to use https://store.ironkey.com/personal , on the
> thread
> https://www.mageia.org/pipermail/mageia-sysadm/2011-January/002155.html
>
> Another last solution to prevent theft would to use shamir secret
> sharing ( as also said in the other thread, but maybe I am too insistant
> on this wonderful cryptographic invention ). This way, people would have
> to steal several part of the file to get something usable.
> ( for Harry Potter fan, think of horcruxes )
Oops, I should have mentioned this thread in the 1st mail (but didn't
find it yesterday).
> And also, I think we should routinely make sure the key is readable
> ( ie, that people know where it is, and the support is still good ), so
> we do not discover one day that half the key keeper lost the key while
> moving, thinking someone else had it, and the other half stored it near
> magnet, rendering it unreadable.
Maybe we could test it every year at fosdem ?
More information about the Mageia-dev
mailing list