incubator-odf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: KEYS
Date Mon, 29 Apr 2013 18:41:04 GMT
On Mon, Apr 29, 2013 at 1:31 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> Off-hand, I can't imagine how your public key is useful to a code-signing plug-in.
>
> I can confirm that the instructions for import of the KEYS certificates into GPG do work.
>
> My understanding is that KEYS is useful for someone who wants to verify the signatures
on releases.  In general, it is preferable for the public keys (or at least the fingerprint)
to be obtained from an independent, secure location that is uniquelly associated with the
committer whose PGP public key is sought.
>

That might be true of the public key was by itself.  In that case you
would only be able to tell that the signature was from someone who
claims to be Florian, but you would not know whether he really was.
But the GPG approach is based on a "web of trust" model.  If I can
confirm that your key is actually from you and you can convince me
that you are who you claim to be, then I can sign your key with my
key.  I post that info to a public keyserver, and someone else can
verify this info. And my key is then signed by someone else, etc.  So
we have a web of people asserting their trust of a given key.  So in
the end it doesn't matter where the key is actually retrieved from.
It could be on my website, in SVN, wherever.  You only trust it if you
have direct knowledge of its validity, or you trust someone who has
this knowledge, directly or via someone they directly trust.

-Rob


> The files at <https://people.apache.org/keys/committer/> qualify, since the retrieved
public keys are based on a fingerprint that requires access to your Apache Committer account
to establish.  The keys folder is kept secure by ASF Infrastructure.  Synchronization with
public key servers is automated.  Also, there is a file <https://people.apache.org/keys/group/>
that has all public keys for an individual project (e.g., office.asc for all committers of
Apache OpenOffice that have committer keys).
>
>
>  - Dennis
>
> PS: It is not clear to me how the signatures are ever made available in conjunction with
the distributed binaries and source tarballs.  They may be more for internal reviews and assurance
of release-candidate integrity.
>    I notice that the download of Apache OpenOffice 3.4.1 has two hashes and an ASC digital
signature file, but there is no indication of whose public key is needed in order to verify
the signature [;<).  The external signature themselves are served from, e.g., <http://www.apache.org/dist/incubator/ooo/files/stable/3.4.1/>,
even when the various .tar.gz, .dmg, and .exe files are served from mirror sites.  Note that
the instructions (e.g., <http://www.openoffice.org/download/checksums/3.4.1_checksums.html#howto>)
instruct obtaining the complete set of committer keys in office.asc and then checking the
separately-provided external signature with the separately-provided download.
>    It appears that, beside the ceremonial satisfaction of creating these signatures,
the threat model and usability with respect to delivery to end-users needs to be revisited.
>
> -----Original Message-----
> From: Florian Hopf [mailto:mailinglists@florian-hopf.de]
> Sent: Monday, April 29, 2013 01:08
> To: odf-dev@incubator.apache.org
> Subject: Re: KEYS
>
> Hi,
>
> On 26.04.2013 18:34, Dennis E. Hamilton wrote:
>> I'm not sure why this is on odf/trunk.  It may work better to only have your Apache
IDs and the PGP fingerprints in KEYS.
>
> I expected that this is in some way to be needed by the code signing
> plugin but I didn't really check.
>
>>
>> Either way, it is valuable for you to provide your public keys at <https://people.apache.org/keys/committer/>.
 Do this by logging onto <https://id.apache.org/> and providing your key information.
 (You can have multiple keys there.)
>>
>> The keys associated with your Apache account are automatically updated from PGP public-key
services.  These are the ones that will have current counter-signatures and for which revocation/expiration
is presumably noticed.
>
> Thanks for the hint, I will update my information.
>
> Regards
> Florian
>
>>
>>
>>   - Dennis
>>
>>
>> -----Original Message-----
>> From: fhopf@apache.org [mailto:fhopf@apache.org]
>> Sent: Friday, April 26, 2013 04:38
>> To: odf-commits@incubator.apache.org
>> Subject: svn commit: r1476146 - /incubator/odf/trunk/KEYS
>>
>> Author: fhopf
>> Date: Fri Apr 26 11:37:38 2013
>> New Revision: 1476146
>>
>> URL: http://svn.apache.org/r1476146
>> Log:
>> added code signing key to KEYS
>>
>> Modified:
>>      incubator/odf/trunk/KEYS
>>
>> Modified: incubator/odf/trunk/KEYS
>> URL: http://svn.apache.org/viewvc/incubator/odf/trunk/KEYS?rev=1476146&r1=1476145&r2=1476146&view=diff
>> [ ... ]
>>
>>
>>
>
>
> --
> Florian Hopf
> Freelance Software Developer
>
> http://blog.florian-hopf.de
>

Mime
View raw message