From: Daniel Shahaf <d.s@daniel.shahaf.name>
To: vapnik spaknik <vapniks@yahoo.com>
Cc: zsh-workers@zsh.org
Subject: Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it?
Date: Fri, 10 Jul 2020 23:49:22 +0000 [thread overview]
Message-ID: <20200710234922.50f0fa4a@tarpaulin.shahaf.local2> (raw)
In-Reply-To: <1130466066.9798.1594417647695@mail.yahoo.com>
vapnik spaknik wrote on Fri, 10 Jul 2020 21:47 +0000:
> Hi,
> the zsh tarballs available on sourceforge & zsh.org are signed by "dana@dana.is", but this key has no chain of trust associated with it, only self signatures. How do I know that "dana" is trustworthy, and hasn't hidden some malicious code in the tarball? I can see "dana@dana.is" listed in the ChangeLog, but that's not much reassurance (it could have been achieved with a simple search-replace).
You can compare the git tag to the tarball. They should be identical,
other than some generated files.
You can also look up the various distro packages of zsh. Those
packages are signed, and the distro maintainers should have solved this
problem before building and signing their packages.
For example, from the Debian package's repository:
https://salsa.debian.org/debian/zsh/commit/14d262602341f1a2d69aa9149a331d047851ef55
>> I retrieved the key with `gpg --recv-keys 7CA7ECAAF06216B90F894146ACF8146CAE8CBBC4`,
>> where the hash value was obtained by pulling upstream's zsh-web.git over an SSH
>> remote and inspecting Arc/source.html in the resulting clone.
That's how Debian established trust in dana's key. (It's worth noting
that I wrote that log message, and I'm the one who set up dana's
release manager's upload access, so I had additional, out-of-band
reasons to trust.)
I didn't actually sign that specific commit — in hindsight, that
wouldn't have been a bad idea — but it's contained in the subsequent
«debian/5.7.1-test-3-1» tag, which is PGP-signed by a WoT-connected
individual.
(And I'm not signing *this* email because it's past midnight and I
don't have the brainwidth to re-verify that fingerprint right now)
[Arc/source.html is public at
http://zsh.sourceforge.net/Arc/source.html, as is zsh-web.git via
https://sf.net/projects/zsh]
> Considering how fundamental and frequently used zsh is, I think it's very important that we can trust the tarball, don't you?
Sure.
Note that key pinning is a partial answer: now that dana has RM'd a
stable release, verifying the next release comes from the same key will
provide a non-trivial guarantee.
> Here's a suggestion for some of the long term developers; why not contact each other by email and arrange a video conference to get to know each other a little bit, and sign each others public gpg keys?
I suppose I could verify dana's identity using
https://www.rants.org/2009/11/instant-answer-protocol/ (real-time
questions/answers + verify push access) and sign her key on that basis,
but I don't know when she and I would both have time.
Agreed it'd be a good thing. Thanks for raising this.
Cheers,
Daniel
P.S. (I'm replying to emails out of order, so to those who sent me
offlist emails and haven't seen a reply yet, you're not forgotten :))
next prev parent reply other threads:[~2020-07-10 23:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1130466066.9798.1594417647695.ref@mail.yahoo.com>
2020-07-10 21:47 ` vapnik spaknik
2020-07-10 23:49 ` Daniel Shahaf [this message]
2020-07-11 4:25 ` dana
2020-07-12 10:09 ` Daniel Shahaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200710234922.50f0fa4a@tarpaulin.shahaf.local2 \
--to=d.s@daniel.shahaf.name \
--cc=vapniks@yahoo.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).