activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (APLO-372) Useless gpg signature
Date Wed, 07 Jan 2015 17:20:36 GMT

     [ https://issues.apache.org/jira/browse/APLO-372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Hiram Chirino resolved APLO-372.
--------------------------------
    Resolution: Won't Fix
      Assignee: Hiram Chirino

The trusted GPG sigs are listed at: http://activemq.apache.org/apollo/download.html

If want to double check to see who's keys are trusted to sign the release, check out the KEYS
file in the project's SCM repository:

https://git-wip-us.apache.org/repos/asf?p=activemq-apollo.git;a=tree

> Useless gpg signature
> ---------------------
>
>                 Key: APLO-372
>                 URL: https://issues.apache.org/jira/browse/APLO-372
>             Project: ActiveMQ Apollo
>          Issue Type: Bug
>          Components: apollo-distro
>    Affects Versions: 1.7
>            Reporter: Hadmut Danisch
>            Assignee: Hiram Chirino
>
> Hi, 
> when downloading apollo from the download network, the connection is not trusted and
can easily spoofed. Therefore, apollo comes with a pgp signature. 
> However, this signature is completely useless for two reasons:
> 1) The key is named 
> Hiram Chirino <hiram@hiramchirino.com>
> who is that? Is he a developer or simply a random name chosen by the attacker? How should
one know whether he is authorized to release code?
> 2) The key is not signed by anyone else and there is no fingerprint on any webpage, absolutely
no way to verify authenticity. 
> So whoever is able to replace the software release with a modified version, could as
well replace the signature file with one signed by the attacker himself, after generating
a random key with a random name, either Hiram Chirino, Donald Duck, or Batman. 
> So providing the gpg signature is absolutely pointless and does not raise security at
all. But it raises the question whether the security of apollo itself could be any better
then. 
> regards



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message