Hello, On Tue, Apr 18, 2023 at 05:25:58PM +0000, John Scott wrote: > I know if you're looking at the subject line alone you'll think I'm proposing > introducing a security vulnerability, but let me explain. > > There are some problems with storing an upstream signing key inside the > package. It might get stale, not incorporating additional subkeys necessary > for signature verification or revocations. Also, it requires manual work on > the part of the maintainer and can't be done automatically. > > Folks outside the OpenPGP ecosystem might not know this, but the Web of Trust > is now not the only way of doing things. There are ways, like Web Key > Directory, DANE, and LDAP, to not only discover an OpenPGP key, but also > verify that it really belongs to the person in the user ID. > > First, we save in some metadata file somewhere (debian/upstream/metadata?) > the user IDs (aka names and email addresses) of upstream, or perhaps mappings > of key IDs to email addresses. When uscan goes to verify the signature, it > will know the key ID of the signer but might not know their user ID, so it > will look in the mapping table. > > Then it will fetch the key using an authenticated method and use it to verify > the signature. > > I hope that makes sense. Unfortunately I only know C, so I don't think I'll > be able to contribute this.
My personal objective opinion to that is: I prefer manual key handling over such automatisms. To get the key belonging to a certain email address the mentioned mechanisms like WKD and DANE are reasonably good. But I want to authenticate a certain person, not someone in control of a certain email address (which can change). So if such a mechanism existed, I wouldn't opt-in to it and prefer to continue occasionally updating the upstream key after manual verification. My 0.02€, Uwe -- Pengutronix e.K. | Uwe Kleine-König | Industrial Linux Solutions | https://www.pengutronix.de/ |
signature.asc
Description: PGP signature
