[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff
From: |
James Blackwell |
Subject: |
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff |
Date: |
Fri, 26 Dec 2003 15:19:17 -0500 |
User-agent: |
Mutt/1.5.4i |
On Fri, Dec 26, 2003 at 11:55:27AM -0800, Tom Lord wrote:
>
>
> > From: James Blackwell <address@hidden>
>
> >> Thanks, nice script. However, it has a small problem -- if a
> >> checksum file exists but is unsigned, it tells you that it has
> >> a bad signature.
>
> > I don't see that as a bug. Checksum files are worthless if
> > they're not signed. After all, if the patches have been modified
> > by a nefarious person, then the checksum file could be modified
> > to match.
>
> > Thats rather the whole point of gpg signing.
>
> Checksum files are _not_ useless without signing. They have at least two
> uses:
Are you within context? This is within the context of gpgcheck.
gpgcheck is a script to use gpg signatures within an archive to verify the
integrity of said archive.
If a person has infiltrated a machine and has started inserting
compromises into patches, they also have the ability to modify those
checksum files. All they need to do update the checksum of the new patch.
> 1) They can be used to detect media failures.
>
othoganal to gpgcheck. That gpgcheck picks up failed md5sums is a free
side effect of looking for local archive tampering.
There's no reason we can't have a more generalized verify-integrity script
that checks md5s, revision locks, meta-info, even signatures. gpg isn't
intended to do that, though some of these naturally "come free" with
checking gpg signatures.
> 2) They provide an alternative to signing. If, for exmaple, checksums
> are broadcast from trusted hosts (where they are first computed)
> on various channels to all mirrors of the archives on that host,
> then there's a public record of what that archive is supposed to
> contain which everyone can see and use for integrity checking.
>
> If the separate broadcast of the checksums is itself signed, then
> the same level of security is achieved without signing the checksum
> files in the archive itself.
This is certainly worthy of discussion and strikes me as useful. However,
that is a different itch than the one I scratched with gpgcheck. gpgcheck
is intended as a 'we promised the FSF the ability to gpg signed archives
by New Years, and we need somebody to hack something together so that they
can verify those signed archives'.
> At any rate, it should only be an error if the archive is a signed
> archive. Otherwise it should be at most a single warning that the
> archive is unsigned.
I must be misunderstanding you here. You want me to give the option to
disable signature verification in a script which has the sole purpose of
verifying signed archives?
--
James Blackwell Using I.T. to bring more 570-407-0488
Owner, Inframix business to your business http://inframix.com
GnuPG (ID 06357400) AAE4 8C76 58DA 5902 761D 247A 8A55 DA73 0635 7400
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Johannes Berg, 2003/12/26
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Robert Collins, 2003/12/26
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Andrew Suffield, 2003/12/26
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Tom Lord, 2003/12/26
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Andrew Suffield, 2003/12/27
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, James Blackwell, 2003/12/27
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Andrew Suffield, 2003/12/27
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Robert Collins, 2003/12/27
Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff, Tom Lord, 2003/12/26