New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please sign commits #2
Comments
UPDATE: In my previous comment, I misunderstood your intention. I think it would be better you start an issue directly in https://github.com/mumble-voip/mumble-gpg-signatures 🤔️. |
The project you linked doesn't allow for issues, hence I'm submitting this here. |
Why does this even matter? After all the amount of people that have write access to this repo is limited anyways 🤔 |
That's exactly the point, though. Write access to the repo does not prove the authenticity of the change as an attacker might gain access to the GitHub account without gaining access to the private GPG key. |
But a commit being signed does nor proof anything in this scenario (to my understanding). And I am rather certain that this is actually the exact reason why the previous commits were signed: They were created directly on GitHub 🤷 |
It does. @svenstaro 's request is about ensuring a usable chain of trust between the keys that are used for release signing.
No, that is not correct. A signed commit is also marked as signed if the github PGP signature is used. However, the PGP signature done by GitHub is actually not useful and should not be used, as several users have access to it via a website). More specifically it would be great if you could establish a trust chain between Upon further review, the key The last commit signed by a person (@mkrautz) and with a still intact chain of trust has been done for the change in 2019: f9ce071 Without a chain of trust between these commits the use of PGP signatures for releases has no meaning. A way to establish the chain of trust can be for @mkrautz to amend the latest four commits and sign them.
Afterwards also the keys added in the recent commits can be considered "trusted". For downstreams there is currently no way of telling whether a supply chain attack is in motion or not and we will wait with an upgrade until this is resolved. |
I amended the last commit signing it with my GPG key for 2021: 3b139d7 |
Lol now the commit is explicitly marked as "unverified" xD |
I was surprised to see that too. It's because I have a dedicated email address for Git and another for GPG. I would expect the commit to show up as verified though, as both addresses are verified in my GitHub account. |
@davidebeatrici unfortunately it is of no use, if you sign these commits (especially not when you sign them with a key that is not part of the trust chain). It has to be done by @mkrautz. |
That will most likely not happen since he is no longer actively involved in the project. |
Also, we don't have his current key in the repository, |
I'd already be happy if you used the old release key to cross sign the
current one.
…On Wed, Feb 10, 2021, 21:09 Davide Beatrici ***@***.***> wrote:
Also, we don't have his current key in the repository, mkrautz.asc was
expired on 2016-06-12.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAANAB5L4DCKBMIC7FCDMLS6LRXFANCNFSM4XNQIYVA>
.
|
|
Yes, since I decided to trust |
It expired on 2021-01-01. |
Can we sign the commits with the the cert we are using e.g. for the Windows binaries? 🤔 |
Latest commit is signed by a developer so if we can just get signed commits (and cross-signatures on release keys, please!) from this point forward, we can consider this closed. |
I'm going to ask @mkrautz whether he can sign my commit with his GPG key. |
@svenstaro Is ded4a4f okay? |
Seems good to me! |
Excellent, thanks for checking! |
@davidebeatrici I'm sorry, but the chain of trust is actually broken again. In ded4a4f you add the PGP public key with the ID
You then signed that commit with that same key (
Whereas in the previous commit 3b139d7 you establish the PGP public key with the ID (
That commit has also been signed with that exact same key (
For posterity, I also checked whether any of the keys that are used for signing releases, added in 3b139d7 and ded4a4f (respectively), have any relevant signatures on them (but unfortunately they do not):
and
As there are no signatures of the 2021 key ( Additionally, it seems that the mail address I'm sorry to say this, but the additions (or signatures done with the keys) have absolutely no meaning from a supply chain trust perspective at this point and can not be used this way. |
The GPG email address is tied to my account, but for some reason GitHub expects it to be the same one as the committer's.
|
I see. That indeed does establish the chain of trust between the builder keys of 2021 ( However, what will be done with 2022 -> 2023, given that you have no (at least known) signature of your personal key It becomes quite evident in this ticket, that the setup is very complex and not easy to follow for downstreams, because there is neither a clear instruction nor does it become instantly apparent by looking at the files alone how to check up on the chain of trust. In broader terms: A section in a README that is only introduced/altered using signed commits and/or states the (cross-signed) keys used for release signing would be even more easy to follow up on (e.g. see how qtile does that) and could even live in the main mumble repository. |
The idea is to sign the
Thank you very much for the suggestion, it would be much better. Should we perhaps just create a new repository called something like |
Okay, but where is the trust chain between your personal 2021 and 2022 key?
I believe this could just be added to the README.md of the mumble repository. What is really key to that type of setup though is to have cross-signatures amongst those keys and to make them available on keyservers (and potentially also in the repository). Once you introduce a new one, it needs to be signed by the previous one. If you remove/replace an existing key it should be done in a commit signed by your already trusted key (e.g. that from 2021 in this case, which is now expired unfortunately). |
Use new upstream PGP key 1EDEBE2A93CB97FA9903D52E25F63C66245DFC60, see mumble-voip/mumble-gpg-signatures#2 (comment) Switch to cmake as build system. Disable use of bundled speex and opus. Add poco as new dependency for mumble. Use package dependencies wherever mumble/murmur dlopen() a given library. Turn murmur configuration modifications into patch: Unset logfile to run in foreground and log to stdout by default and set default sqlite db location. Rename mumble-server back to murmur as the renaming process is not finished: mumble-voip/mumble#5436 Harden murmur.service and run it as the murmur user/ group by default. git-svn-id: file:///srv/repos/svn-community/svn@1111600 9fca08f4-af9d-4005-b8df-a31f2cc04f65
Use new upstream PGP key 1EDEBE2A93CB97FA9903D52E25F63C66245DFC60, see mumble-voip/mumble-gpg-signatures#2 (comment) Switch to cmake as build system. Disable use of bundled speex and opus. Add poco as new dependency for mumble. Use package dependencies wherever mumble/murmur dlopen() a given library. Turn murmur configuration modifications into patch: Unset logfile to run in foreground and log to stdout by default and set default sqlite db location. Rename mumble-server back to murmur as the renaming process is not finished: mumble-voip/mumble#5436 Harden murmur.service and run it as the murmur user/ group by default. git-svn-id: file:///srv/repos/svn-community/svn@1111600 9fca08f4-af9d-4005-b8df-a31f2cc04f65
I used my 2022 key to sign both |
Some of your signatures in mumble-gpg-signatures are signed but some are not. Critically, the most recent ones are not signed. Could you start signing them?
The text was updated successfully, but these errors were encountered: