GPG signatures for source validation #1624
Comments
|
@NicoHood toktok/c-toxcore already does most of this 👍 |
|
Glad to see other people are getting serious about GPG file integrity! 👍 Also stopped by to say I'm looking forward to the Signed Github Release tarballs, currently none of them are signed. |
|
@g4jc regarding signing releases, feel free to read through qTox/qTox#3912 (comment) |
|
Let me show you the current situation. gpg: 1 key processed (1 validity count cleared) 4 signature keys expired at the same day and one is revoked ? What the fuck ? Type bits/keyID cr. time exp time key expir pub 4096R/BED89E98 2014-03-21 uid irungentoo irungentoo@tox.im uid irungentoo irungentoo@gmail.com sub 4096R/072FB171 2014-03-21 Hey we finally get a trace of a verification for 10349DC9BED89E98. How could this whole crap be cut down to 10 seconds searching ? Source signing key: Is this too much asked for ? |
|
I dont get your problem. You can find the long key in the arch pkgbuild file: Sure we do not know that this new key is from "him". But we know that he published it on his github account, so this one is possibly not hacked yet (or we would have possibly other problems). GPG relies on the trust chain of other users. For example my key is signed with the archlinux master keys who trust me and ensure that i am a teammember. @GrayHatter for example could sign @irungentoo s key and vice versa. This way the tox team can ensure that their keys are valid. |
|
@NicoHood yes, you don't get it at all. |
|
@ac225519 I think you're the one who's misunderstanding the use of pgp. It's not supposed to be easy. Computer's are stupid and easy to fool. You need to verify keys by hand if you want actual security. In this case there's dozens of mirrors across the world with toxcore in them. All commits to the toxcore branch are signed by irungentoo. If you compare the key on filter audio to the key used to sign all the toxcore commits you can be sure it came from irungentoo's key. Apart from that there's otherwise too many issues to iterate over here. The request for commits and tarballs to be signed was accepted, you now have both. Either you need to do the work you did, and trust the key. Or don't. Either way complaining about issues with pgp being hard to use aren't problems that belong on this repo. Have you tried keybase? It's easy to use! |
|
@GrayHatter thank you for trying to explain PGP to me. That's sweet. I install https://aur.archlinux.org/packages/libfilteraudio
I want now do a BASIC verification of the PGP key that is used to sign the source package.
Instead I have to ask a public PGP key server for the UID and click my way though the web of trust. |
👍 keys should be on a website or the public profiles of people to allow quick checking. |
|
Github Bio is a good place for that: e.g. https://github.com/cebe |
|
Yes he is right. It should be listed somewhere and greyhatter should sign the key too, to give it more trust. On AUR you should not simply trust the PKGBUILD file. However the maintainer is an official ArchLinux member, so you can trust him as you do for the packages you install from him. |
As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code.
The Arch Linux team would appreciate it if you would provide us GPG signatures in order to verify easily and quickly of your source code releases.
Overview of the required tasks:
Additional Information:
Thanks.
The text was updated successfully, but these errors were encountered: