[arch-general] Package signing

Dan McGee dpmcgee at gmail.com
Thu Apr 29 17:53:56 CEST 2010


On Thu, Apr 29, 2010 at 10:40 AM, Allan McRae <allan at archlinux.org> wrote:
> On 30/04/10 01:29, Thomas Bächler wrote:
>>
>> Am 29.04.2010 00:36, schrieb Linas:
>>>
>>> Thomas Bächler wrote:
>>>>
>>>> We must have a system that allows pacman to automatically verify new
>>>> developer keys and revoke old ones ... even more important, revoke them
>>>> in a way that signatures made before a certain date are still accepted,
>>>> but newer ones aren't.
>>>> I don't see this easily being implemented with PGP-Keys, but maybe
>>>> someone else knows more.
>>>>
>>>
>>> You can't trust a package made with a compromised key just because it
>>> looks old. That can be falsified.
>>> Packages not affected should be resigned by another developer / the new
>>> developers key.
>>> I would still recompile them, though (withouth necessarily increasing
>>> the pkgrel).
>>
>> You are right, if the key has been compromised, you can easily include a
>> fake date. So upon revoking a key, all packages have to be re-signed.
>>
>> This shows again that this is not a topic you can just solve by throwing
>> some code at people. It needs a proper chain of trust and concepts to
>> cover all cases - otherwise, it might be possible to compromise the
>> system, giving users a false sense of security.
>
> Has anyone had a good look at the other implementations of package signing
> (Debian, Fedora, ...) and made a summary of how they handle it?

This is also a resource worth consulting:
http://www.cs.arizona.edu/stork/packagemanagersecurity/

-Dan


More information about the arch-general mailing list