Control: affects 1010955 + src:gnupg2 src:pinentry On Sat 2022-05-14 07:55:36 +0200, Andreas Metzler wrote: > The latest gnutls tarballs have multiple signatures. I would like > to have uscan succeed if at least one of signatories is listed in > debian/upstream/signing-key.asc. Uscan currently requires all signatures > to verify with no way to configure differently afaict.
Andreas is correct here that it only makes sense to require one valid
signature for uscan's verification to succeed. Requiring every
discovered signature to be valid is a mistake. For example, it means
that projects that start publishing an OpenPGP v5 signature (when
rfc4880bis is finally released) alongside their OpenPGP v4 signatures
will fail to be validated.
The same failings happen for GnuPG and related projects like Pinentry,
which typically have multiple signers attesting to each release.
I think Andreas is wrong to argue that this should be configurable. If
anything, the correct move here is to have uscan be satisfied as long as
it finds *any* valid signature from any key in the keyring located in
debian/upstream/signing-key.asc.
Here's another way of looking at it: consider a malicious network
adversary capable of interposing themselves and tampering with either
the tarball or the signature -- it is trivial (and unavoidable) that the
adversary can make a good signature fail; just fiddle some bits in the
signature or the tarball. What we critically want to avoid is for them
to be able to make a bad signature appear good.
But note that if we believe every supplied signature must be good when a
multiple signature is supplied, and one signature is from an unknown
party, then a network attacker can simply *remove* the unknown
signature, and the remaining signatures will all pass, converting a
"bad" multi-sig into a "good" single-sig. The threat model for this
approach is clearly muddled!
By permitting a single signature from any signer to validate, we are not
increasing the capabilities of the attacker at all. we're simply making
the system more robust, and enabling upstream developers to smoothly
migrate to new keys by signing with both keys for a period of time.
On the off chance that some upstream project wants debian to ensure that
*multiple* signers have indeed endorsed a release, then it's possible
that uscan would want some configurability -- the debian maintainer
would want to indicate that *at least N signatures from distinct signers
in the known keyring* are present in the signature bundle, for example.
But i know of no active projects that take this position at the moment,
so making such a configurable option is entirely gravy at this point.
It's more important that uscan *succeed* when at least one valid
signature is found.
--dkg
signature.asc
Description: PGP signature
