FS#43384 - [sssd] tarball signatures

Attached to Project: Community Packages
Opened by Mantas Mikulėnas (grawity) - Friday, 09 January 2015, 08:09 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Monday, 12 January 2015, 08:23 GMT
Task Type General Gripe
Category Packages
Status Closed
Assigned To Massimiliano Torromeo (mtorromeo)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

The PKGBUILD for sssd 1.12.3-1 stopped verifying the PGP signature of source tarball, under the excuse of "there is no available public list of valid gpg keys".

There's no list of valid PGP keys for *many* projects, but they're almost always released by the same one or two developers, so the fingerprints can be obtained and verified by comparing signatures of several historical releases.

According to my download cache, all recent sssd releases were done by:

'E4E366758CA0716AAB8048671EC6AB7532E7BC25' # Jakub Hrozek

Older versions (1.9 and older) were signed by:

'34BFDEA209B1EA2E9FDC2E537A25556236BAA3A3' # Stephen Gallagher
This task depends upon

Closed by  Massimiliano Torromeo (mtorromeo)
Monday, 12 January 2015, 08:23 GMT
Reason for closing:  No response
Comment by Massimiliano Torromeo (mtorromeo) - Friday, 09 January 2015, 09:03 GMT
You can call it an excuse but there is no point in having PGP signatures if the identity is not verifiable and with no secure public place to get a list of acceptable keys I would just have to blindly trust every key that will ever sign the tarballs.
This does not provide any additional security to the process.

Sure, I could take the time to verify that those 2 keys are good and hope that no one else in the future will do the signing but this should be handled better upstream IMHO.
I mean, look at how arch does it: https://www.archlinux.org/master-keys/
You get a public source secured by https that lets you verify which are the valid keys that can sign packages/whatever.

Loading...