SSH commit signatures on AUR
Hello, AUR uses SSH keys for authentication, and since a few months Git can sign commits with SSH keys. Would there be interest in combining this to somehow mark packages as verified if HEAD has a valid signature from an SSH key registered in the profile of any maintainer of that package? I don't think it'd add much in terms of security per se, but I think it'd help to encourage and spread commit signing on the AUR. That's a good thing per se, imho, but I think it'd also simplify trust management a lot, especially when automatically building many AUR packages. Currently you always need an extra RPC call to the AUR to obtain reliable maintainer information for every package, because the git clone itself doesn't carry any trust information at all. With signing however you could just scrape SSH keys from maintainers you trust every once in a while, and assemble those into an ALLOWED_SIGNERS files for "git verify-commit". Asserting that a package HEAD is trusted would then come down to a simple "git verify- commit". For this to work AUR would need to publicly expose SSH keys in user profile packages, which definitely requires some care wrt to privacy. Another challenge would be to make a UI which clearly indicates that "verified" only means the HEAD was signed by a maintainer, not that the Arch team or a TU has actually verified the PKGBUILD, let alone the package contents. But if there's interest in the feature, I'd be happy to start working on a patch to aurweb to contribute this feature. Kind regards, Basti
On 3/2/22 11:38 AM, Sebastian Wiesner via aur-dev wrote:
For this to work AUR would need to publicly expose SSH keys in user profile packages, which definitely requires some care wrt to privacy.
Github (and Gitlab) both expose users' public ssh and pgp keys to the web. Take me for example, though you could search&replace with any valid username: * https://github.com/pedanticdm.keys * https://github.com/pedanticdm.gpg (I'm most familiar with Github, hence this and a future example). Waxing pedantic, I'm not sure how many "privacy" concerns exist in this space since we're dealing in public keys (it's in the name). Trust and integrity (cough SKS keyservers cough) are the prominent concerns in my mind.
But if there's interest in the feature, I'd be happy to start working on a patch to aurweb to contribute this feature.
I see some value in it. Nothing fancy would be required. Github, for instance, presents a "verified" tag alongside every commit signed by UserA with the public key UserA uploaded to their account, plus a commit Author field with correct data. And, in Vigilant Mode, you get scary "unverified" and discomforting "partially verified" tags as well. ^_^ Have a good weekend, everyone! Cheers!
This brings up a question, though: How do we treat verified commits? Do we check these at all from a server, standpoint, or is it purely for consumers? I already sign my AUR commits, and I can verify them: (venv) { kevr sprunge } > git verify-commit 8d5259274278ac103c45622ed91b5ee83673db2 gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST gpg: using RSA key 0F985B6F99B6686854C44EC3F7E46DED420788F3 gpg: Good signature from "Kevin Morris (kevr) <kevr@0cost.org>" [ultimate] So this seems to already be possible. Are we looking for some kind of AUR package webview visible Verified tag that shows when HEAD is verified? -- Kevin Morris Software & Linux Enthusiast
Am Freitag, dem 01.04.2022 um 18:33 -0700 schrieb Kevin Morris via aur- dev:
This brings up a question, though:
How do we treat verified commits? Do we check these at all from a server, standpoint, or is it purely for consumers?
I already sign my AUR commits, and I can verify them:
(venv) { kevr sprunge } > git verify-commit 8d5259274278ac103c45622ed91b5ee83673db2 gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST gpg: using RSA key 0F985B6F99B6686854C44EC3F7E46DED420788F3 gpg: Good signature from "Kevin Morris (kevr) <kevr@0cost.org>" [ultimate]
So this seems to already be possible. Are we looking for some kind of AUR package webview visible Verified tag that shows when HEAD is verified?
I'd like to have a "Verified" badge in order to encourage signing. I also sign my AUR commits, but in my experience most AUR maintainers don't; making signatures visible in the web interface would be a first step to encourage signing. But I'm no really pursuing this anymore, because there's apparently little interest. Cheers, Basti
On 02/04/2022 09:50, Sebastian Wiesner via aur-dev wrote:
Am Freitag, dem 01.04.2022 um 18:33 -0700 schrieb Kevin Morris via aur- dev:
This brings up a question, though:
How do we treat verified commits? Do we check these at all from a server, standpoint, or is it purely for consumers?
I already sign my AUR commits, and I can verify them:
(venv) { kevr sprunge } > git verify-commit 8d5259274278ac103c45622ed91b5ee83673db2 gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST gpg: using RSA key 0F985B6F99B6686854C44EC3F7E46DED420788F3 gpg: Good signature from "Kevin Morris (kevr) <kevr@0cost.org>" [ultimate]
So this seems to already be possible. Are we looking for some kind of AUR package webview visible Verified tag that shows when HEAD is verified?
I'd like to have a "Verified" badge in order to encourage signing.
As AURWeb uses cgit to display git commits, showing a verified badge should be implemented upstream. [1] [1] https://git.zx2c4.com/cgit/about/
Am Montag, dem 04.04.2022 um 10:20 +0200 schrieb Jelle van der Waa via aur-dev:
On 02/04/2022 09:50, Sebastian Wiesner via aur-dev wrote:
Am Freitag, dem 01.04.2022 um 18:33 -0700 schrieb Kevin Morris via aur- dev:
This brings up a question, though:
How do we treat verified commits? Do we check these at all from a server, standpoint, or is it purely for consumers?
I already sign my AUR commits, and I can verify them:
(venv) { kevr sprunge } > git verify-commit 8d5259274278ac103c45622ed91b5ee83673db2 gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST gpg: using RSA key 0F985B6F99B6686854C44EC3F7E46DED420788F3 gpg: Good signature from "Kevin Morris (kevr) <kevr@0cost.org>" [ultimate]
So this seems to already be possible. Are we looking for some kind of AUR package webview visible Verified tag that shows when HEAD is verified?
I'd like to have a "Verified" badge in order to encourage signing.
As AURWeb uses cgit to display git commits, showing a verified badge should be implemented upstream. [1]
I'd like that badge to have a prominent place on the AUR package pages not hidden away in the Git commit display (I didn't even know that this existed so far). E.g. right under the "Git clone URL" there could be a "HEAD commit: Signed by package maintainer" or "HEAD commit: Unsigned/unknown signature" line to indicate that the latest commit was or wasn't signed with an SSH or PGP key of one of the maintainers of the package. Cheers, Basti
This brings up a question, though: How do we treat verified commits? Do we check these at all from a server, standpoint, or is it purely for consumers? I already sign my AUR commits, and I can verify them: (venv) { kevr sprunge } > git verify-commit 8d5259274278ac103c45622ed91b5ee83673db2 gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST gpg: using RSA key 0F985B6F99B6686854C44EC3F7E46DED420788F3 gpg: Good signature from "Kevin Morris (kevr) <kevr@0cost.org>" [ultimate] So this seems to already be possible. Are we looking for some kind of AUR package webview visible Verified tag that shows when HEAD is verified? -- Kevin Morris Software & Linux Enthusiast
participants (4)
-
Jelle van der Waa
-
Kevin Morris
-
PedanticDM
-
Sebastian Wiesner