You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Upload the apt repository PGP key onto multiple domains, and
Document how a user can verify the PGP key from multiple domains out-of-band when downloading the key for the first time (TOFU)
Why?
It's possible for a very powerful adversary to comprimise your release infrastructure (or the infrastructure between the server and the client) and get a new waydroid user to download a malicious version of the /etc/apt/sources.list.d/waydroid.list file and the repository signing key waydroid.gpg -- but it's exponentially more difficult for them to comprimise multiple distinct domains.
Here's a great list of supply chain vulnerabilities including some historically relevant cases where this happened:
Please make sure that you upload your PGP key to popular keyservers (they mostly sync with each other, so you only need to upload it to one) such as Ubuntu's keyserver
keys.openpgp.org is a newer keyserver that doesn't sync with the others, and it strips UIDs and signatures by default for privacy and to resist certificate spamming attacks
Unfortunately, I could not find for your key on this server.
Please upload your key to the keys.openpgp.org keyserver:
I do recommend adding your key to as many other domains as possible, including:
Your official twitter and/or mastodon account (just put the keys' full fingerprint (0D2743A24328AE0634DF3557959FE34E90E51522) at the top of your profile
Any domains you own (eg waydro.id -- unless that's hosted by GitHub as that would provide zero additional benefits to the public key in your GitHub repo (see above)
Something else?
The more domains you upload it to, the better.
Part Two: Documenting it
After uploading your public key and/or full fingerprint to as many distinct domains as possible, please update the project's documentation to enumerate all of the domains where a user can find the PGP Key (or key fingerprint) and write a paragraph to describe how the user can mitigate the risk of compromised infrastructure by cross-checking the integrity of the key across multiple domains.
This ticket is a request to:
Why?
It's possible for a very powerful adversary to comprimise your release infrastructure (or the infrastructure between the server and the client) and get a new waydroid user to download a malicious version of the
/etc/apt/sources.list.d/waydroid.list
file and the repository signing keywaydroid.gpg
-- but it's exponentially more difficult for them to comprimise multiple distinct domains.Here's a great list of supply chain vulnerabilities including some historically relevant cases where this happened:
Part One: Making key available out-of-band
SKS Keyservers
I was unable to find your PGP key (with fingerprint =
0D2743A24328AE0634DF3557959FE34E90E51522
) on an SKS keyserver. For example:Please make sure that you upload your PGP key to popular keyservers (they mostly sync with each other, so you only need to upload it to one) such as Ubuntu's keyserver
https://keys.openpgp.org/
keys.openpgp.org is a newer keyserver that doesn't sync with the others, and it strips UIDs and signatures by default for privacy and to resist certificate spamming attacks
Unfortunately, I could not find for your key on this server.
Please upload your key to the keys.openpgp.org keyserver:
After you upload your key, please verify your email address by clicking the link sent to the uid of the key as described here:
GitHub
Please add your public keys as a files somewhere in this GitHub repo
Sourceforge
Please add your public keys as files somewhere in you sourceforge:
Other domains
I do recommend adding your key to as many other domains as possible, including:
0D2743A24328AE0634DF3557959FE34E90E51522
) at the top of your profilewaydro.id
-- unless that's hosted by GitHub as that would provide zero additional benefits to the public key in your GitHub repo (see above)The more domains you upload it to, the better.
Part Two: Documenting it
After uploading your public key and/or full fingerprint to as many distinct domains as possible, please update the project's documentation to enumerate all of the domains where a user can find the PGP Key (or key fingerprint) and write a paragraph to describe how the user can mitigate the risk of compromised infrastructure by cross-checking the integrity of the key across multiple domains.
The text was updated successfully, but these errors were encountered: