[arch-projects] [dbscripts][PATCH] Prepare to sign repo databases
Thomas Bächler
thomas at archlinux.org
Sun Nov 3 04:11:43 EST 2013
Am 03.11.2013 02:32, schrieb Allan McRae:
> On 03/11/13 11:19, Allan McRae wrote:
>> Add function to sign repo database. Enabling signing requires setting
>> SIGN_DB to true and adding the key ID to DB_KEY. The DB_KEY is restricted
>> from signing package files.
>>
>> Signed-off-by: Allan McRae <allan at archlinux.org>
>> ---
>
> GPG does not have a concept of some keys being valid for some tasks.
> So pacman can not have this concept without implementing a complete hack
> or requiring two separate keyrings (one for databases and one for
> packages). Both of these are not going to happen, so we need to deal
> with restricting key usage in dbscripts.
>
> The idea here is that someone creates a repo signing key and all master
> keys sign it. Then a subkey is created and put on nymeria. If we have
> issues, the subkey is revoked and a new subkey is created.
>
> Note that the patch assumes the db key will be added to nymeria's pacman
> keyring which is located in the default location.
With this implementation, anyone with access to nymeria can simply steal
the private key and use it elsewhere.
Users shouldn't have access to the private key, they should only have
access to a black-box script that signs the database (and only the
database) using sudo.
However, a clever asshole might then move a file to the database
location, run the script and get a valid signature.
So, in order for this to happen, the whole /srv/ftp path for repos and
pool must be read-only to packagers. Then, a dedicated script must be
called using sudo that verifies the signatures of the submitted
packages, adjusts the database and then signs it.
I was thinking about this for a while (independently of db signatures),
but was always too lazy to do it. It's a nice feature to not have
packagers mess around with the ftp path manually.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-projects/attachments/20131103/22f41c7b/attachment.asc>
More information about the arch-projects
mailing list