* gpg key used to sign zsh tarball has no trusted signatures so how can I trust it? [not found] <1130466066.9798.1594417647695.ref@mail.yahoo.com> @ 2020-07-10 21:47 ` vapnik spaknik 2020-07-10 23:49 ` Daniel Shahaf 0 siblings, 1 reply; 4+ messages in thread From: vapnik spaknik @ 2020-07-10 21:47 UTC (permalink / raw) To: zsh-workers Hi, the zsh tarballs available on sourceforge & zsh.org are signed by "dana@dana.is", but this key has no chain of trust associated with it, only self signatures. How do I know that "dana" is trustworthy, and hasn't hidden some malicious code in the tarball? I can see "dana@dana.is" listed in the ChangeLog, but that's not much reassurance (it could have been achieved with a simple search-replace). Considering how fundamental and frequently used zsh is, I think it's very important that we can trust the tarball, don't you? Here's a suggestion for some of the long term developers; why not contact each other by email and arrange a video conference to get to know each other a little bit, and sign each others public gpg keys? Joe Bloggs. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it? 2020-07-10 21:47 ` gpg key used to sign zsh tarball has no trusted signatures so how can I trust it? vapnik spaknik @ 2020-07-10 23:49 ` Daniel Shahaf 2020-07-11 4:25 ` dana 0 siblings, 1 reply; 4+ messages in thread From: Daniel Shahaf @ 2020-07-10 23:49 UTC (permalink / raw) To: vapnik spaknik; +Cc: zsh-workers vapnik spaknik wrote on Fri, 10 Jul 2020 21:47 +0000: > Hi, > the zsh tarballs available on sourceforge & zsh.org are signed by "dana@dana.is", but this key has no chain of trust associated with it, only self signatures. How do I know that "dana" is trustworthy, and hasn't hidden some malicious code in the tarball? I can see "dana@dana.is" listed in the ChangeLog, but that's not much reassurance (it could have been achieved with a simple search-replace). You can compare the git tag to the tarball. They should be identical, other than some generated files. You can also look up the various distro packages of zsh. Those packages are signed, and the distro maintainers should have solved this problem before building and signing their packages. For example, from the Debian package's repository: https://salsa.debian.org/debian/zsh/commit/14d262602341f1a2d69aa9149a331d047851ef55 >> I retrieved the key with `gpg --recv-keys 7CA7ECAAF06216B90F894146ACF8146CAE8CBBC4`, >> where the hash value was obtained by pulling upstream's zsh-web.git over an SSH >> remote and inspecting Arc/source.html in the resulting clone. That's how Debian established trust in dana's key. (It's worth noting that I wrote that log message, and I'm the one who set up dana's release manager's upload access, so I had additional, out-of-band reasons to trust.) I didn't actually sign that specific commit — in hindsight, that wouldn't have been a bad idea — but it's contained in the subsequent «debian/5.7.1-test-3-1» tag, which is PGP-signed by a WoT-connected individual. (And I'm not signing *this* email because it's past midnight and I don't have the brainwidth to re-verify that fingerprint right now) [Arc/source.html is public at http://zsh.sourceforge.net/Arc/source.html, as is zsh-web.git via https://sf.net/projects/zsh] > Considering how fundamental and frequently used zsh is, I think it's very important that we can trust the tarball, don't you? Sure. Note that key pinning is a partial answer: now that dana has RM'd a stable release, verifying the next release comes from the same key will provide a non-trivial guarantee. > Here's a suggestion for some of the long term developers; why not contact each other by email and arrange a video conference to get to know each other a little bit, and sign each others public gpg keys? I suppose I could verify dana's identity using https://www.rants.org/2009/11/instant-answer-protocol/ (real-time questions/answers + verify push access) and sign her key on that basis, but I don't know when she and I would both have time. Agreed it'd be a good thing. Thanks for raising this. Cheers, Daniel P.S. (I'm replying to emails out of order, so to those who sent me offlist emails and haven't seen a reply yet, you're not forgotten :)) ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it? 2020-07-10 23:49 ` Daniel Shahaf @ 2020-07-11 4:25 ` dana 2020-07-12 10:09 ` Daniel Shahaf 0 siblings, 1 reply; 4+ messages in thread From: dana @ 2020-07-11 4:25 UTC (permalink / raw) To: Daniel Shahaf; +Cc: vapnik spaknik, Zsh hackers list On 10 Jul 2020, at 18:49, Daniel Shahaf <d.s@daniel.shahaf.name> wrote: > Agreed it'd be a good thing. Yeah. I meant to get it sorted before, there just wasn't a convenient opportunity. I'm not very familiar with GPG trust etiquette, but if there's a good way we can establish trust remotely the next time we're collaborating or w/e that'd be OK with me dana ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it? 2020-07-11 4:25 ` dana @ 2020-07-12 10:09 ` Daniel Shahaf 0 siblings, 0 replies; 4+ messages in thread From: Daniel Shahaf @ 2020-07-12 10:09 UTC (permalink / raw) To: dana; +Cc: vapnik spaknik, Zsh hackers list dana wrote on Fri, 10 Jul 2020 23:25 -0500: > On 10 Jul 2020, at 18:49, Daniel Shahaf <d.s@daniel.shahaf.name> wrote: > > Agreed it'd be a good thing. > > Yeah. I meant to get it sorted before, there just wasn't a convenient > opportunity. I'm not very familiar with GPG trust etiquette, but if there's a > good way we can establish trust remotely the next time we're collaborating or > w/e that'd be OK with me The general rule is that you should only sign somebody's public key if you are *certain* that whoever controls the private key is indeed the person whose name is on the key. Some people say you should perform the verification in person against a passport (or other government-issued photo id). Other people argue that passports don't actually add much security, since the average open source contributor is not able to identify fake passports at a glance, and in any case verifying a passport doesn't defend against state adversaries. Before social distancing, verifying people's PGP keys at conferences provided a social defence: to paraphrase Linus, many eyeballs make all impersonators shallow. In the end, the question is what would convince you that someone who claims to be danielsh is in fact danielsh; and which people who are already connected to the Web of Trust would be able to be convinced that you are in fact the owner of the public key that bears your name. Cheers, Daniel (https://m.xkcd.com/1121/) ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-07-12 10:10 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <1130466066.9798.1594417647695.ref@mail.yahoo.com> 2020-07-10 21:47 ` gpg key used to sign zsh tarball has no trusted signatures so how can I trust it? vapnik spaknik 2020-07-10 23:49 ` Daniel Shahaf 2020-07-11 4:25 ` dana 2020-07-12 10:09 ` Daniel Shahaf
Code repositories for project(s) associated with this public inbox https://git.vuxu.org/mirror/zsh/ This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).