FS#69843 - Allow multiple pgp signatures to validate the same file

Attached to Project: Pacman
Opened by Setpill (setpill) - Monday, 01 March 2021, 10:16 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 17 June 2021, 22:38 GMT
Task Type Feature Request
Category makepkg
Status Unconfirmed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 5.2.2
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Summary and Info:

Currently makepkg's verify_signature.sh script makes certain assumptions about the naming scheme of file signatures that make it impossible for the same source file to be signed by multiple signature files. Since the advent of reproducible builds, it is becoming more common for multiple maintainers/developers of a piece of software to provide signatures of a binary release. It would be nice to be able to efficiently support this.

I have implemented *some* way of doing this in the lnd-bin PKGBUILD in the AUR, however it is easy to see this is not efficient; I am downloading the same source file multiple times, once for each signature. In this case, upstream provides signed manifests rather than signing the source files themselves. That has its own downsides, but at least downloading the manifest file multiple times is relatively painless.

If it were possible to tell makepkg that a signature belongs to a specific file, this could be significantly optimized and becomes viable when upstreams sign their release binaries directly rather than through manifests.
This task depends upon

Comment by Doug Newgard (Scimmia) - Monday, 01 March 2021, 13:05 GMT
I'm not getting it. How would there ever be multiple signatures for a single file? Even if they did, what would be the point of verifying more than one?
Comment by Setpill (setpill) - Friday, 12 March 2021, 13:13 GMT
I'm not sure what you don't get about there being multiple signatures for a single file - you can sign arbitrary files so I could really easily sign a file someone else has already signed. Verifying more than one dev's signature means you no longer have a single point of trust; this is essentially what reproducible builds are all about. If even a single developer's output is different than the others, there is reason to investigate the situation.
Comment by Doug Newgard (Scimmia) - Friday, 12 March 2021, 13:15 GMT
A signature is essentially saying "This is the file I made". Having a bunch of people sign it is just pointless.
Comment by Levente Polyak (anthraxx) - Friday, 12 March 2021, 13:34 GMT
having multiple signatures itself isn't pointless, you can perfectly fine use that as attestation that any other entity reproduced the very same result and vouches for that by providing a signature as well.
A signature on a release artifact itself also doesn't really say "i made this" but more like "i vouch for this", which _can_ mean that you made it yourself.
Comment by Eli Schwartz (eschwartz) - Friday, 12 March 2021, 13:38 GMT
It's not pointless. But it is complicated, moreso than the value add that it provides. I'm not sure how this should work other than by adding a domain specific language to makepkg just for this.

And quite frankly the value is pretty low. The point of Reproducible Builds is that anyone can recreate the binary, delegating that right back to the lead developers to attest that it's reproducible doesn't really tell you much as their collaboration relationship is a significant source of of the lack of trust that Reproducible Builds seeks to solve.
Comment by Levente Polyak (anthraxx) - Friday, 12 March 2021, 13:43 GMT
I disagree that the value is low. Iterating some years into the future, you could potentially imagine to only want to install and trust packages that have N out of M trusted attestations about reproducibility. And for any reproducer its a perfectly valid way to just create a detatched signature of the artifact themselves -- an alternative would be to attest a meta file about the reproduction -- but at the end its still the same thing.
Comment by Morten Linderud (Foxboron) - Friday, 12 March 2021, 13:52 GMT
Installing a trusted *package* is fine, but do you want this for build *sources*?
Comment by Allan McRae (Allan) - Friday, 12 March 2021, 13:52 GMT
Package reproducibility is a red-herring here.

This bug talks about verifying multiple signatures for source files in makepkg.
Comment by Levente Polyak (anthraxx) - Friday, 12 March 2021, 13:54 GMT
Yeah, I agree we drifted away from the reason of this ticket, but the discussion lead it there :D
I don't think having multiple input source signatures would add really much value tho. theoretically the value is >0 if multiple entities look at all the history to vouch it... but well it indeed doesn't have to do with reproducible builds.
Comment by Eli Schwartz (eschwartz) - Friday, 12 March 2021, 14:10 GMT
There is a separate ticket open for pacman to support configurable thresholds of multiple PGP signatures on binary package artifacts.

I know this, because I'm the one who opened it.

There is much more value add, IMO, to binary package artifacts than to sources. Most specifically, because I envisioned that pacman binary repositories could automatically merge trust attestations by appending to the signature file and rehosting the repo. Whereas that doesn't quite make sense for makepkg, nor for source code.
Comment by Setpill (setpill) - Friday, 12 March 2021, 14:28 GMT
> A signature is essentially saying "This is the file I made". Having a bunch of people sign it is just pointless.

The point of reproducible builds is that the output of your build process is bit for bit identical to mine. If you make a file, and sign it, and I make the exact same file and sign it too, then someone can verify my signature against your file without knowing the difference.
Comment by Setpill (setpill) - Friday, 12 March 2021, 14:34 GMT
> The point of Reproducible Builds is that anyone can recreate the binary, delegating that right back to the lead developers to attest that it's reproducible doesn't really tell you much as their collaboration relationship is a significant source of of the lack of trust that Reproducible Builds seeks to solve.

The lnd-bin package came to be when the lnd package could not be built from source due to Arch packaging an incompatible version of Go, this package is in part a hedge against that happening again. Reproducible builds are also a defence against backdoored build machines. Malicious upstream developers are not something I include in my threat model for lnd-bin. Maybe I will in the future, but then I'll still want this feature :)
Comment by Setpill (setpill) - Friday, 12 March 2021, 14:34 GMT
> There is much more value add, IMO, to binary package artifacts than to sources.

This is indeed about binary package artifacts, my bad for conflating terminology (in the lnd-bin PKGBUILD, the binary artifact is in the source array).
Comment by Eli Schwartz (eschwartz) - Friday, 12 March 2021, 14:51 GMT
I'm not saying this feature is rejected! I'm simply venturing a personal opinion that I don't see a practical route to accomplishing it, because I don't want to build a DSL into makepkg's source array processing.

But if someone were to propose a patch, then I'd be in a much better position to judge its fitness and maintainability...
Comment by Setpill (setpill) - Friday, 12 March 2021, 15:02 GMT
That's fair. I was just clarifying where I felt the need to :)

Loading...