Control: affects 1010955 + src:gnupg2 src:pinentry On Sat 2022-05-14 07:55:36 +0200, Andreas Metzler wrote: > The latest gnutls tarballs have multiple signatures. I would like > to have uscan succeed if at least one of signatories is listed in > debian/upstream/signing-key.asc. Uscan currently requires all signatures > to verify with no way to configure differently afaict.
Andreas is correct here that it only makes sense to require one valid signature for uscan's verification to succeed. Requiring every discovered signature to be valid is a mistake. For example, it means that projects that start publishing an OpenPGP v5 signature (when rfc4880bis is finally released) alongside their OpenPGP v4 signatures will fail to be validated. The same failings happen for GnuPG and related projects like Pinentry, which typically have multiple signers attesting to each release. I think Andreas is wrong to argue that this should be configurable. If anything, the correct move here is to have uscan be satisfied as long as it finds *any* valid signature from any key in the keyring located in debian/upstream/signing-key.asc. Here's another way of looking at it: consider a malicious network adversary capable of interposing themselves and tampering with either the tarball or the signature -- it is trivial (and unavoidable) that the adversary can make a good signature fail; just fiddle some bits in the signature or the tarball. What we critically want to avoid is for them to be able to make a bad signature appear good. But note that if we believe every supplied signature must be good when a multiple signature is supplied, and one signature is from an unknown party, then a network attacker can simply *remove* the unknown signature, and the remaining signatures will all pass, converting a "bad" multi-sig into a "good" single-sig. The threat model for this approach is clearly muddled! By permitting a single signature from any signer to validate, we are not increasing the capabilities of the attacker at all. we're simply making the system more robust, and enabling upstream developers to smoothly migrate to new keys by signing with both keys for a period of time. On the off chance that some upstream project wants debian to ensure that *multiple* signers have indeed endorsed a release, then it's possible that uscan would want some configurability -- the debian maintainer would want to indicate that *at least N signatures from distinct signers in the known keyring* are present in the signature bundle, for example. But i know of no active projects that take this position at the moment, so making such a configurable option is entirely gravy at this point. It's more important that uscan *succeed* when at least one valid signature is found. --dkg
signature.asc
Description: PGP signature