activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadmut Danisch (JIRA)" <j...@apache.org>
Subject [jira] [Created] (APLO-372) Useless gpg signature
Date Mon, 05 Jan 2015 15:25:34 GMT
Hadmut Danisch created APLO-372:
-----------------------------------

             Summary: Useless gpg signature
                 Key: APLO-372
                 URL: https://issues.apache.org/jira/browse/APLO-372
             Project: ActiveMQ Apollo
          Issue Type: Bug
          Components: apollo-distro
    Affects Versions: 1.7
            Reporter: Hadmut Danisch


Hi, 

when downloading apollo from the download network, the connection is not trusted and can easily
spoofed. Therefore, apollo comes with a pgp signature. 

However, this signature is completely useless for two reasons:

1) The key is named 
Hiram Chirino <hiram@hiramchirino.com>

who is that? Is he a developer or simply a random name chosen by the attacker? How should
one know whether he is authorized to release code?

2) The key is not signed by anyone else and there is no fingerprint on any webpage, absolutely
no way to verify authenticity. 


So whoever is able to replace the software release with a modified version, could as well
replace the signature file with one signed by the attacker himself, after generating a random
key with a random name, either Hiram Chirino, Donald Duck, or Batman. 


So providing the gpg signature is absolutely pointless and does not raise security at all.
But it raises the question whether the security of apollo itself could be any better then.


regards





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message