Archive detached signature

[vp1981]

Hello,
versions prior to 2.19 have detached signatures (.asc) but 2.19 doesn't have one. Is it on purpose? Should I use github git repo as verified source of radvd?

[reubenhwk]

I'd suggest using Github. I'm not keen on continuing to maintain the RADVD website and I'd like to replace it with a message to get all future updates from Github.

…

On Wed, Nov 4, 2020 at 12:21 AM Vladimir Lomov ***@***.***> wrote: Hello, versions prior to 2.19 have detached signatures (.asc) but 2.19 doesn't have one. Is it on purpose? Should I use github git repo as verified source of radvd? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#129>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABRG6YJSBEOGYYPMMOQC4LSOEFHRANCNFSM4TJXUVHA> .

[vp1981]

Hello. Yes, I already use source from github (I'm using Archlinux and has updated PKGBUILD to build new radvd fetching source from github). May be it is worth to sign tags then? Right now I don't use such feature but think it would valuable thing to have. And small nitpick: the "Release" part of "main" page on github leads to "Release" page that doesn't list latest release, I see it only on "Tag" page.

[anthraxx]

@reubenhwk I understand that you do not want to maintain the website, however would it be possible to gpg sign your git tags or upload detatched signatures to the git releases?

git archive -o radvd-2.19.tar.gz --format tar.gz --prefix=radvd-2.19/ 2.19
gpg --detach-sign radvd-2.19.tar.gz

you can put that in a Makefile/script and use some variables. It would be super awesome if you can keep signing releases, this is a important part of supply chain security authenticating the legitimacy of a release from you, the author.

[Neustradamus]

I think it is needed to have a perfect 2.20 soon.

• With last PRs

With a perfect announcement at the same time:

• Mailing lists
• Official website
• Releases section (always not done for 2.18 and 2.19) : https://github.com/reubenhwk/radvd/releases
• Signature

[Neustradamus]

@reubenhwk: There is a big problem for Debian 11, the freeze is soon (2021-01-12).
The next will be in 2023.

Can you solve it with a 2.20 now?
Please read all steps to do at the same time?

• Archive detached signature #129 (comment)

The 2.19 is not here: https://tracker.debian.org/pkg/radvd
cc @stappersg

It is linked to:

• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973922

Thanks in advance.

[Neustradamus]

@vp1981 @anthraxx @stappersg: @reubenhwk has generated signatures:

• https://github.com/radvd-project/radvd/releases/tag/v2.19

[foxxx0]

Unfortunately these signatures have been made with a RSA key 0xBE8BA2B61F1B1E57 that I can't seem to find anywhere.

 $ gpg --list-packets < radvd-2.19.tar.gz.asc 
# off=0 ctb=89 tag=2 hlen=3 plen=435
:signature packet: algo 1, keyid BE8BA2B61F1B1E57
	version 4, created 1610178092, md5len 0, sigclass 0x00
	digest algo 10, begin of digest 11 55
	hashed subpkt 33 len 21 (issuer fpr v4 BABABE4BCC326327BFB6C133BE8BA2B61F1B1E57)
	hashed subpkt 2 len 4 (sig created 2021-01-09)
	subpkt 16 len 8 (issuer key ID BE8BA2B61F1B1E57)
	data: [3072 bits]

The previous released have been signed with RSA key 0x6FE19F21451C9A2B / fingerprint 10E2 5110 3817 2B51 6DCA 5BD3 6FE1 9F21 451C 9A2B and uid Reuben Hawkins <reubenhwk@gmail.com>.

So as of right now, these signatures aren't helping at all.

[stappersg]

So as of right now, these signatures aren't helping at all.

@anthraxx expressed it already very well earlier:

It would be super awesome if you can keep signing releases, this is a important part of supply chain security authenticating the legitimacy of a release from you, the author.

I think #135 is both problem and solution.

[Neustradamus]

@reubenhwk has generated signatures and it is the last 2.19 from him.

@reubenhwk, can you look the problem of signatures before?

The radvd repositories have been moved from:

• https://github.com/reubenhwk/radvd to https://github.com/radvd-project/radvd
• https://github.com/reubenhwk/radvdweb to https://github.com/radvd-project/radvdweb

Thanks in advance.

[Neustradamus]

Currently, there is always the original website, files and signatures are on it too:

• http://www.litech.org/radvd/

[Neustradamus]

@vp1981 @anthraxx @foxxx0, @stappersg: @robbat2 has done new signatures:

• https://github.com/radvd-project/radvd/releases/tag/v2.19

[foxxx0]

Thanks, but in order to keep the trust chain intact, we still need a gpg-signed statement from @reubenhwk (with 0x6FE19F21451C9A2B / fp 10E2 5110 3817 2B51 6DCA 5BD3 6FE1 9F21 451C 9A2B) that @robbat2 is now in charge of this project and explicitly stating that their key 0xEE05E6F6A48F6136 with fingerprint 7D0B 3CEB E9B8 5B1F 825B CECF EE05 E6F6 A48F 6136 is now the official and approved new release signing key.

Otherwise having the releases signed with a different "untrusted" (no offense) gpg key doesn't really mean anything.

[Neustradamus]

@foxxx0: @robbat2 has already worked previously:

• https://github.com/radvd-project/radvd/pulls?q=is%3Apr+author%3Arobbat2+

[robbat2]

@foxxx0 Reuben's old key is no longer available. Reuben does have a new key, but there's no meaningful handover message possible since Reuben lost their old key.

From my newer key 0xEE05E6F6A48F6136, you can see transitive signatures to my older key 0xEE05E6F6A48F6136, and then onto the main kernel WoT.

I'll also point out that there was also no chain of trust between Reuben's older key 0x411FA8C112D91A31:

radvd-2.16.tar.gz.asc 2017-02-01 411FA8C112D91A31
radvd-2.17-rc1.tar.gz.asc 2017-07-02 411FA8C112D91A31
radvd-2.17.tar.gz.asc 2017-07-04 411FA8C112D91A31
radvd-2.18-rc1.tar.gz.asc 2019-02-17 6FE19F21451C9A2B
radvd-2.19.tar.gz.asc 2021-01-21 19395F23C58826C4

[stappersg]

On Fri, Jan 22, 2021 at 10:49:40AM -0800, Robin H. Johnson wrote: ... chain of trust ...

Each chain has to start with a first link

[robbat2]

A question for both @foxxx0 @stappersg:
As @reubenhwk has lost their prior keys, what further assurances do you believe are possible and meaningful to show that @reubenhwk has handed control of the project to myself and @Neustradamus?

Once we've got most of this sorted out, including getting more willing developers into the GitHub organization, so they can provide meaningful reviews of code, I would like to move the radvd project to having dedicated formal release keys, so that we can avoid future problems in handover (having enough open source experience to know that nobody will be around forever, regardless of their best intentions).

[Neustradamus]

Solved by @robbat2.

[Neustradamus]

One hour ago, @reubenhwk has done a comment here: #135 (comment).

@stappersg: Can you now update radvd in Debian?

• https://tracker.debian.org/pkg/radvd

@foxxx0: Can you now update radvd in Arch Linux?

• https://archlinux.org/packages/community/x86_64/radvd/

Thanks in advance.

[stappersg]

radvd-project/radvd-project.github.io@6e3e5f7 where to get the pubkey of which it was done with?

[Neustradamus]

@stappersg: It is here:

• Assets: https://github.com/radvd-project/radvd/releases/tag/v2.19
• radvd-project/radvd-project.github.io@9d227cc
• https://radvd.litech.org/

I have added links in index.html:

• radvd-project/radvd-project.github.io@91d3ebf