Hi,
On 2024-02-11 01:35, mpan wrote:
Hello,
Good reasoning and decision regarding not removing signatures
checking.
As for attaching keys, my opinion on that is: you may. My thinking
here is as follows.
Signatures establish a secure channel between the software authors
and the builder/user. If one puts complete trust in a random AUR
account, we can just use SHA512 and stop with the security theater. The
user is expected to acquire and verify the key through a separate
route: either directly from the authors or by using enough witnesses to
build trust.
Unavoidably that brings the question: where the user is supposed to
get the key at? Keyservers should be the answer, but have fun playing
hide-and-seek to tell, which server to use. Keys being published
whenever possible is a good option then. That would include AUR.
That leaves one question open: where? I believe the proper place is
the git repository, alongside the PKGBUILD. Keys aren’t expected to
change often, so updates wouldn’t be frequent.
There is little risk in an AUR account offering a malicious key.
Public keys are not expected to be distributed through secure means.
Only the key ID (or the entire fingerprint) has to be confirmed. After
all this is how keyservers work and they are even less trusted than
AUR.
What if the victim doesn’t verify the key ID? The worst a malicious
actor could do is publishing an AUR entry with both fake key and its
corresponding key ID. But this gives them power to convey malicious
source, what one can do by simply not offering signatures. There is a
minor threat of the key ending up in their keyring, which can be later
used to e.g. send encrypted email the attacker can read (tamper-evident
on recipient’s end: they can’t decrypt it). But the same can be done
with a keyserver.
Cheers
Thanks for the great reply, I agree on all points pretty much. Yeah, the
package consumer still has to verify the key (signature) with upstream,
but including the key file with the package can help in situation where
the public keyservers are flakey (certainly a situation I've had to deal
with in the past).
One point I just realized is that the AUR might prevent me from
uploading the key(s) as they wouldn't be listed in the sources() array
in the PKGBUILD. However, it turns out, the AUR has special handling
for a key dir [0].
[0]: https://gitlab.archlinux.org/archlinux/aurweb/-/merge_requests/722
Cheers, Wilhelm.