[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Mon, 30 May 2022 10:17:45 +0200
On lun., 30 mai 2022 at 01:45, firstname.lastname@example.org wrote:
> Authenticate a tarball through a signed tag in a git repository (with
> reproducible builds).
> Blog post: https://vulns.xyz/2022/05/auth-tarball-from-git/
In this post, it reads:
Personally - if I had to decide between these two - I’d prefer
the later because I can always try to authenticate the pinned
tarball later on,
which is the case for Guix. Even, Guix is somehow already implementing
this third way because each commit modifying a package is signed. From
the post, the file ’chrisduerr.pgp’ and ’kchibisov.pgp’ are the Guix
committer keys .
(Hum, I do not understand what this means:
but it’s impossible to know for sure which source code has been
used if all I know is “something that had a valid signature on
but that’s another story. :-))
Well, in this frame about security, the question is: who trusts who? I
do not think that the addition of an automatic signature check of source
code’s author key enforces more security for Guix users. It adds more
complexity and does not fix the current bottleneck of trust: the Guix
packager and Guix committer.
Other said, if you do not trust the Guix packagers and Guix committers,
then you have to personally check the authenticity of the source code.
Using an automatic process with data from Guix packages or Guix
committers contradicts the assumption «you do not trust them».
Therefore, it does not fix the current weakness.
However, such ’auth-tarball-from-git’ can be of high interest when
Submitting Patching :
2. If the authors of the packaged software provide a
cryptographic signature for the release tarball, make an effort
to verify the authenticity of the archive. For a detached GPG
signature file this would be done with the gpg --verify command.