From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 6304 invoked from network); 10 Jul 2020 23:50:15 -0000
Received: from ns1.primenet.com.au (HELO primenet.com.au) (203.24.36.2)
  by inbox.vuxu.org with ESMTPUTF8; 10 Jul 2020 23:50:15 -0000
Received: (qmail 843 invoked by alias); 10 Jul 2020 23:50:06 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Sender: zsh-workers@zsh.org
X-Seq: 46229
Received: (qmail 21494 invoked by uid 1010); 10 Jul 2020 23:50:06 -0000
X-Qmail-Scanner-Diagnostics: from out5-smtp.messagingengine.com by f.primenet.com.au (envelope-from <d.s@daniel.shahaf.name>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.102.3/25863. spamassassin: 3.4.4.  
 Clear:RC:0(66.111.4.29):SA:0(-2.6/5.0):. 
 Processed in 4.001132 secs); 10 Jul 2020 23:50:06 -0000
X-Envelope-From: d.s@daniel.shahaf.name
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: none (ns1.primenet.com.au: domain at daniel.shahaf.name does not designate permitted sender hosts)
X-ME-Sender: <xms:hv4IX_uq6aoJD1d8w5qcdh_PUawlq9UKwWwAaDOvYXLlXn1jCF8XUw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrvddvgddviecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc
    fjughrpeffhffvuffkjghfofggtgfgsehtqhdttdertdejnecuhfhrohhmpeffrghnihgv
    lhcuufhhrghhrghfuceougdrshesuggrnhhivghlrdhshhgrhhgrfhdrnhgrmhgvqeenuc
    ggtffrrghtthgvrhhnpeehfeefgfefkeeuvedtteevgfelffeigeefudejtefgteffkefh
    udegteekteefteenucffohhmrghinhepiihshhdrohhrghdpuggvsghirghnrdhorhhgpd
    hsohhurhgtvghfohhrghgvrdhnvghtpdhsfhdrnhgvthdprhgrnhhtshdrohhrghenucfk
    phepjeelrddujeeirdefledrieelnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg
    hmpehmrghilhhfrhhomhepugdrshesuggrnhhivghlrdhshhgrhhgrfhdrnhgrmhgv
X-ME-Proxy: <xmx:hv4IXwdrdUYwky2H-66dbT9d99vl1N7ev0kiz0YUcmFCh69vBgVUPQ>
    <xmx:hv4IXyw0-zHnr9nLhdxpEEEPOfm7uoOSEqqQM-QyzKiM9AC6cVddLQ>
    <xmx:hv4IX-MqSH66hJEWItg9mqI1iJvC7IMetH-RSXASWMv-SaLwa8gGqA>
    <xmx:h_4IX9fA5Rl_fxyEtapaqG9gjTB6175arZnagmvPU6S4Zp25FsSDPg>
Date: Fri, 10 Jul 2020 23:49:22 +0000
From: Daniel Shahaf <d.s@daniel.shahaf.name>
To: vapnik spaknik <vapniks@yahoo.com>
Cc: zsh-workers@zsh.org
Subject: Re: gpg key used to sign zsh tarball has no trusted signatures so
 how can I trust it?
Message-ID: <20200710234922.50f0fa4a@tarpaulin.shahaf.local2>
In-Reply-To: <1130466066.9798.1594417647695@mail.yahoo.com>
References: <1130466066.9798.1594417647695.ref@mail.yahoo.com>
	<1130466066.9798.1594417647695@mail.yahoo.com>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

vapnik spaknik wrote on Fri, 10 Jul 2020 21:47 +0000:
> Hi,
>     the zsh tarballs available on sourceforge & zsh.org are signed by "da=
na@dana.is", but this key has no chain of trust associated with it, only se=
lf signatures. How do I know that "dana" is trustworthy, and hasn't hidden =
some malicious code in the tarball? I can see "dana@dana.is" listed in the =
ChangeLog, but that's not much reassurance (it could have been achieved wit=
h a simple search-replace).

You can compare the git tag to the tarball.  They should be identical,
other than some generated files.

You can also look up the various distro packages of zsh.  Those
packages are signed, and the distro maintainers should have solved this
problem before building and signing their packages.

For example, from the Debian package's repository:

https://salsa.debian.org/debian/zsh/commit/14d262602341f1a2d69aa9149a331d04=
7851ef55
>> I retrieved the key with `gpg --recv-keys 7CA7ECAAF06216B90F894146ACF814=
6CAE8CBBC4`,
>> where the hash value was obtained by pulling upstream's zsh-web.git over=
 an SSH
>> remote and inspecting Arc/source.html in the resulting clone.

That's how Debian established trust in dana's key.  (It's worth noting
that I wrote that log message, and I'm the one who set up dana's
release manager's upload access, so I had additional, out-of-band
reasons to trust.)

I didn't actually sign that specific commit=C2=A0=E2=80=94 in hindsight, th=
at
wouldn't have been a bad idea=C2=A0=E2=80=94 but it's contained in the subs=
equent
=C2=ABdebian/5.7.1-test-3-1=C2=BB tag, which is PGP-signed by a WoT-connect=
ed
individual.

(And I'm not signing *this* email because it's past midnight and I
don't have the brainwidth to re-verify that fingerprint right now)

[Arc/source.html is public at
http://zsh.sourceforge.net/Arc/source.html, as is zsh-web.git via
https://sf.net/projects/zsh]

> Considering how fundamental and frequently used zsh is, I think it's very=
 important that we can trust the tarball, don't you?

Sure.

Note that key pinning is a partial answer: now that dana has RM'd a
stable release, verifying the next release comes from the same key will
provide a non-trivial guarantee.

> Here's a suggestion for some of the long term developers; why not contact=
 each other by email and arrange a video conference to get to know each oth=
er a little bit, and sign each others public gpg keys?

I suppose I could verify dana's identity using
https://www.rants.org/2009/11/instant-answer-protocol/ (real-time
questions/answers + verify push access) and sign her key on that basis,
but I don't know when she and I would both have time.

Agreed it'd be a good thing.  Thanks for raising this.

Cheers,

Daniel

P.S.  (I'm replying to emails out of order, so to those who sent me
offlist emails and haven't seen a reply yet, you're not forgotten :))