Sign future gems with PGP #1195
Comments
If we were to sign our gems, why would we use gpg over the existing openssl implementation? http://docs.rubygems.org/read/chapter/21 |
|
Of note, we now have a company-wide PGP key: 0xBE7FEF18. |
I'm in favor of signing gem releases, but the That gets us as far as "someone has signed this gem", after which point it is still desirable to have that someone in our WoT so that the signature is meaningful. |
The rubygems-openpgp adds all the PGP functionality, but hasn't been widely adopted. |
Nice. Looks like it could use a bit of UI polish. For example, getting the key seems like a reasonable default On Tue, Jan 06, 2015 at 09:05:54AM -0800, Grant Olson wrote:
|
@jyurek Are you up for doing this? |
@calebthompson do we sign any of our releases? Do we have the tooling you describe, or does it need to be built? How can we start doing this? |
carefully. Easiest, least useful way is to create a .asc of the .gem and distribute that on GitHub releases. End goal is to replace the bundled sigs with gpg sigs instead of bespoke TLS certificate signatures.
Before someone does that, convinces Matz to merge it, convinces people to start signing gems with gpg, and we have a better rubyland WoT, there’s no way to have the gem command do gpg verification. A gem plugin could be built to do a lot of it, I suspect, but it wouldn’t be part of the default ruby installations. The very first step I outlined at least gets us as far as being able to verify downloaded gem archives, manually, before installing them. Something like this:
That's nowhere near a good process, but it is at least a possible process, and not much more difficult than, say, installing GPGTools from their website and verifying the package's signature. It's even slightly more secure since you get the package and the signature from different sources. I've looked at the plugin @grant-olson mentioned, but it's pretty user unfriendly. I'd love to usurp the extant gem commands to something along the lines of what https://github.com/ruby/ruby/blob/ca6b174078fa15f33655be704d9409fdbc4f9929/lib/rubygems/security.rb provides, but without centralized trust. https://speakerdeck.com/calebthompson/what-is-this-pgp-thing-and-how-can-i-use-it?slide=31 is some of my thoughts about this from a RailsConf lab. There'll be a video eventually. |
Thanks for the writeup @calebthompson. This doesn't seem like a solved issue, and I don't see what can we do to improve the situation for paperclip. I have a PGP key, a few coworkers trust it with high confidence. Will paperclip users do too? |
No
Dunno. It's valuable just to verify the signature even without trust, but only about as valuable as checking the shasum from rubygems.
The current situation can't get worse, so there's plenty of things you can do. Go to more keysignings. Help people build keys and exchange signatures with them. Encourage them to do the same, especially at their places of work, conferences and meetups. Get the thoughtbot sub-set closer to a connection to the Debian maintainer set by finding a linux meetup and participating in their keysigning. Build the gem plugin. Start signing gem releases and attaching them to releases here. Document a way to verify the package, even if it was installed by bundler and not automatically checked. |
Hey I'm open to suggestions to make my plugin more friendly, but the work flow you listed above is exactly the way rubygems-openpgp works:
I also did try to operate a proof-of-concept certificate authority that acted as a hybrid to bridge the gap for people who can't get in to the Web-of-Trust, where I validated a key holder owned the key and actually was a gem author in an attempt to bootstrap some more practical authentication, but stopped that due to lack of use. Detailed post on the experience here. I do acknowledge that both the plugin and the CA had some usability issues, but I found myself in a bit of a chicken-and-egg position. If no-one was using the software, then I didn't know how much time should be spent improving usability. There was also the problem that most suggestions to improve usability involved doing a lot of things automatically, which basically gets back to the problem that real key authentication just doesn't happen and opens all sorts of exploits. If there's anything I can do to make my software more useful for you guys, please let me know. |
Oh neat, didn't realize that was you. Good work on that man. Sorry it didn't work out. I think a central CA is a reasonable starting place for this.
Nice. Like I said, this is a really good starting point but ultimately what I think would help drive adoption is these steps happening during
Yeah. Automated works for Debian, where you trust that only keys trusted by the debian package maintainers are allowed into the system, then allow apt to automatically do the verification (it still dumps gpg output). I wonder if it does any trust checking? I'd want that eventually. You're right, though, the plugin is basically what I want. I guess either my desires or the plugin have changed and I didn't re-check. I apologize. |
I've spent a lot of time thinking about this, and this is actually getting a little bit beyond this actual ticket, but the difference between Debian and rubygems is that there is a concept of being an official Debian contributor. You've been vouched for and are part of a tight-knit community. In that case it makes sense to keep a separate keyring that starts with the master Debian keys and goes from there, where those keys are a list of 'made men' so to speak. OTOH, anyone can become a rubygems contributor, and you've got more of a loose confederation of random people, so there are no social checks that the author of a gem is not a bad actor. That complicates matters with regards to automatically trusting keys from all gem authors. I'm not opposed to rubygems-openpgp having it's own keyring that load up a few pre-approved pre-existing trusted master keys, such as the CA keys listed above, but that once again gets back to the chicken-and-egg problem that this is only useful once people are (1) signing gems, and (2) have gotten their key signed off on by one of the master keys. |
I don’t see any action we can take on paperclip to take care of this issue, and if there is, we will apply it to every other rubygem we release. There is no standard way using RubyGems to attach the PGP signature to the release. However, we started signing tags and GitHub releases. @sikachu also started uploading detached signatures of the gem, for example to sprockets-redirect. I may start doing this on my upcoming releases (note to myself: https://github.com/sikachu/shasign). I'll close this issue for now. Doing so doesn't mean that the underlying problem is solved. Thank you all for your time discussing this. |
Please sign your future gem releases with PGP, as described at https://www.rubygems-openpgp-ca.org. This allows attackers who forge Paperclip releases to be easily detected. We at Phusion are already signing all our gems.
I realize that you may not necessarily trust this CA, but that is fine. By signing with PGP users can still verify files from your key directly, and if rubygems.org ever starts an official CA they can sign your keys without requiring actions from your side.
The text was updated successfully, but these errors were encountered: