incubator-odf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: KEYS
Date Mon, 29 Apr 2013 17:31:14 GMT
Off-hand, I can't imagine how your public key is useful to a code-signing plug-in. 

I can confirm that the instructions for import of the KEYS certificates into GPG do work.

My understanding is that KEYS is useful for someone who wants to verify the signatures on
releases.  In general, it is preferable for the public keys (or at least the fingerprint)
to be obtained from an independent, secure location that is uniquelly associated with the
committer whose PGP public key is sought.  

The files at <https://people.apache.org/keys/committer/> qualify, since the retrieved
public keys are based on a fingerprint that requires access to your Apache Committer account
to establish.  The keys folder is kept secure by ASF Infrastructure.  Synchronization with
public key servers is automated.  Also, there is a file <https://people.apache.org/keys/group/>
that has all public keys for an individual project (e.g., office.asc for all committers of
Apache OpenOffice that have committer keys).


 - Dennis

PS: It is not clear to me how the signatures are ever made available in conjunction with the
distributed binaries and source tarballs.  They may be more for internal reviews and assurance
of release-candidate integrity.  
   I notice that the download of Apache OpenOffice 3.4.1 has two hashes and an ASC digital
signature file, but there is no indication of whose public key is needed in order to verify
the signature [;<).  The external signature themselves are served from, e.g., <http://www.apache.org/dist/incubator/ooo/files/stable/3.4.1/>,
even when the various .tar.gz, .dmg, and .exe files are served from mirror sites.  Note that
the instructions (e.g., <http://www.openoffice.org/download/checksums/3.4.1_checksums.html#howto>)
instruct obtaining the complete set of committer keys in office.asc and then checking the
separately-provided external signature with the separately-provided download.  
   It appears that, beside the ceremonial satisfaction of creating these signatures, the threat
model and usability with respect to delivery to end-users needs to be revisited.

-----Original Message-----
From: Florian Hopf [mailto:mailinglists@florian-hopf.de] 
Sent: Monday, April 29, 2013 01:08
To: odf-dev@incubator.apache.org
Subject: Re: KEYS

Hi,

On 26.04.2013 18:34, Dennis E. Hamilton wrote:
> I'm not sure why this is on odf/trunk.  It may work better to only have your Apache IDs
and the PGP fingerprints in KEYS.

I expected that this is in some way to be needed by the code signing 
plugin but I didn't really check.

>
> Either way, it is valuable for you to provide your public keys at <https://people.apache.org/keys/committer/>.
 Do this by logging onto <https://id.apache.org/> and providing your key information.
 (You can have multiple keys there.)
>
> The keys associated with your Apache account are automatically updated from PGP public-key
services.  These are the ones that will have current counter-signatures and for which revocation/expiration
is presumably noticed.

Thanks for the hint, I will update my information.

Regards
Florian

>
>
>   - Dennis
>
>
> -----Original Message-----
> From: fhopf@apache.org [mailto:fhopf@apache.org]
> Sent: Friday, April 26, 2013 04:38
> To: odf-commits@incubator.apache.org
> Subject: svn commit: r1476146 - /incubator/odf/trunk/KEYS
>
> Author: fhopf
> Date: Fri Apr 26 11:37:38 2013
> New Revision: 1476146
>
> URL: http://svn.apache.org/r1476146
> Log:
> added code signing key to KEYS
>
> Modified:
>      incubator/odf/trunk/KEYS
>
> Modified: incubator/odf/trunk/KEYS
> URL: http://svn.apache.org/viewvc/incubator/odf/trunk/KEYS?rev=1476146&r1=1476145&r2=1476146&view=diff
> [ ... ]
>
>
>


-- 
Florian Hopf
Freelance Software Developer

http://blog.florian-hopf.de


Mime
View raw message