Hi, On 2024-02-11 01:35, mpan wrote:
Hello,
Good reasoning and decision regarding not removing signatures checking.
As for attaching keys, my opinion on that is: you may. My thinking here is as follows.
Signatures establish a secure channel between the software authors and the builder/user. If one puts complete trust in a random AUR account, we can just use SHA512 and stop with the security theater. The user is expected to acquire and verify the key through a separate route: either directly from the authors or by using enough witnesses to build trust.
Unavoidably that brings the question: where the user is supposed to get the key at? Keyservers should be the answer, but have fun playing hide-and-seek to tell, which server to use. Keys being published whenever possible is a good option then. That would include AUR.
That leaves one question open: where? I believe the proper place is the git repository, alongside the PKGBUILD. Keys aren’t expected to change often, so updates wouldn’t be frequent.
There is little risk in an AUR account offering a malicious key. Public keys are not expected to be distributed through secure means. Only the key ID (or the entire fingerprint) has to be confirmed. After all this is how keyservers work and they are even less trusted than AUR.
What if the victim doesn’t verify the key ID? The worst a malicious actor could do is publishing an AUR entry with both fake key and its corresponding key ID. But this gives them power to convey malicious source, what one can do by simply not offering signatures. There is a minor threat of the key ending up in their keyring, which can be later used to e.g. send encrypted email the attacker can read (tamper-evident on recipient’s end: they can’t decrypt it). But the same can be done with a keyserver.
Cheers
Thanks for the great reply, I agree on all points pretty much. Yeah, the package consumer still has to verify the key (signature) with upstream, but including the key file with the package can help in situation where the public keyservers are flakey (certainly a situation I've had to deal with in the past). One point I just realized is that the AUR might prevent me from uploading the key(s) as they wouldn't be listed in the sources() array in the PKGBUILD. However, it turns out, the AUR has special handling for a key dir [0]. [0]: https://gitlab.archlinux.org/archlinux/aurweb/-/merge_requests/722 Cheers, Wilhelm.