GPG signatures for source validation

[NicoHood]

As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code.

The Arch Linux team would appreciate it if you would provide us GPG signatures in order to verify easily and quickly of your source code releases.

Overview of the required tasks:

• Tag a release on github
• Please create and/or use a 4096-bit RSA keypair for the file signing
• The key may be used for email encryption too
• Keep your key secret, use a strong unique passphrase for the key
• Upload the public key to a key server
• Sign every new commit by default
• Sign new tags
• Verify the Github Release tarball download against your local source
• Sign Github Release tarballs

Additional Information:

• https://help.github.com/categories/gpg/
• https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
• https://www.qubes-os.org/doc/verifying-signatures/
• https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

Thanks.

[GrayHatter]

@NicoHood toktok/c-toxcore already does most of this 👍

[g4jc]

Glad to see other people are getting serious about GPG file integrity! 👍 Also stopped by to say I'm looking forward to the Signed Github Release tarballs, currently none of them are signed.

[zetok]

@g4jc regarding signing releases, feel free to read through qTox/qTox#3912 (comment)

[ac225519]

Let me show you the current situation.
Arch package libfilteraudio is signed with the key:
10349DC9BED89E98 2014-03-21 irungentoo [email protected]
So far so good. BUT what is a signature worth without be able to verify that it origins really from irungentoo ?
Nothing.
The 10349DC9BED89E98 key can't be verified.
Try yourself. Google it: 5 results (15-DEC-2016)
Now view the results. Search for 10349DC9BED89E98 in the results.
Nothing.
OK. Try Bing: 2 results (15-DEC-2016) (total different results, interesting)
Now view the results. Search for 10349DC9BED89E98 in the results.
Nothing.
That is not encouraging.
OK. Try to import the key:
`gpg: key 10349DC9BED89E98: public key "irungentoo [email protected]" imported

gpg: 1 key processed (1 validity count cleared)
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: Note: signature key 2D000988589839A3 has been revoked
gpg: Note: signature key A9FF5157F0F159C4 expired Sat 06 Aug 2016 22:00:00
gpg: Note: signature key DBB802B258ACD84F expired Tue 12 Jan 2016 03:17:51
gpg: Note: signature key 98FEC6BC752A3DB6 expired Tue 12 Jan 2016 03:20:35
gpg: Note: signature key DBB802B258ACD84F expired Tue 12 Jan 2016 03:17:51
gpg: Note: signature key 3C83DCB52F699C56 expired Tue 12 Jan 2016 04:31:56`

4 signature keys expired at the same day and one is revoked ? What the fuck ?
Let's search for the 10349DC9BED89E98 key at a PGP Key Server web interface:
0 keys found.
That's bad. Try another key server.
0 keys found.
YOU CAN'T SEARCH THE KEY SERVER FOR THE KEY ID.
So let's try the email address.
`Search results for 'irungentoo gmail com'

Type bits/keyID cr. time exp time key expir

pub 4096R/BED89E98 2014-03-21

uid irungentoo [email protected]
sig sig3 BED89E98 2014-03-21 __________ __________ [selfsig]
sig sig EA04D208 2014-07-11 __________ __________ David Lohle [email protected]
sig revok BED89E98 2015-12-12 __________ __________ [selfsig]

uid irungentoo [email protected]
sig sig3 BED89E98 2014-03-22 __________ __________ [selfsig]
sig sig EA04D208 2014-07-11 __________ __________ David Lohle [email protected]

sub 4096R/072FB171 2014-03-21
sig sbind BED89E98 2014-03-21 __________ __________ []`

Hey we finally get a trace of a verification for 10349DC9BED89E98.
David Lohle has signed it. But who is David Lohle ?
After a click on David Lohle's EA04D208 key we find out that he has add the key id:
David Lohle (Proplex) [email protected].
And his key is signed from Sean Qureshi [email protected]
GREAT, finally some good points that 10349DC9BED89E98 belongs to irungentoo.

How could this whole crap be cut down to 10 seconds searching ?
Put this into https://github.com/irungentoo/toxcore/blob/master/README.md

Source signing key:
FC0BC251E0BA54852E532C5B10349DC9BED89E98 irungentoo [email protected]
pub 4096R/BED89E98 2014-03-21
Fingerprint=FC0B C251 E0BA 5485 2E53 2C5B 1034 9DC9 BED8 9E98

Is this too much asked for ?

[NicoHood]

I dont get your problem. You can find the long key in the arch pkgbuild file:
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=libfilteraudio

Sure we do not know that this new key is from "him". But we know that he published it on his github account, so this one is possibly not hacked yet (or we would have possibly other problems). GPG relies on the trust chain of other users. For example my key is signed with the archlinux master keys who trust me and ensure that i am a teammember.

@GrayHatter for example could sign @irungentoo s key and vice versa. This way the tox team can ensure that their keys are valid.

[ac225519]

@NicoHood yes, you don't get it at all.
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=libfilteraudio is where all starts.
THIS is the first appearance of this key.
Are I'm supposed to trust farseerfc ? Why ? I don't want repeat my previous post.
If you not get it from my previous, it's very unlikely you get from what ever I write.

[GrayHatter]

@ac225519 I think you're the one who's misunderstanding the use of pgp. It's not supposed to be easy. Computer's are stupid and easy to fool. You need to verify keys by hand if you want actual security.

In this case there's dozens of mirrors across the world with toxcore in them. All commits to the toxcore branch are signed by irungentoo. If you compare the key on filter audio to the key used to sign all the toxcore commits you can be sure it came from irungentoo's key.

Apart from that there's otherwise too many issues to iterate over here. The request for commits and tarballs to be signed was accepted, you now have both. Either you need to do the work you did, and trust the key. Or don't. Either way complaining about issues with pgp being hard to use aren't problems that belong on this repo.

Have you tried keybase? It's easy to use!

[ac225519]

@GrayHatter thank you for trying to explain PGP to me. That's sweet.
I'm a PGP user since PGP 2.x (about 1994). And yes I still use my first key since then.
I think I know a little about PGP.
So let's try it again.

I install https://aur.archlinux.org/packages/libfilteraudio
In the install process I get the opportunity to install the PGP key that the source package is signed with.
I have now a public key in my keyring I now about:

• The public key has a UID " [email protected]" connected to it.
• The signature file was downloaded from github
• The source & signature file are 'packed' by Last Packager: farseerfc

I want now do a BASIC verification of the PGP key that is used to sign the source package.
I google the key ID in the hope that the key ID is mentioned on ANY official web page.
But NO, this key isn't mentioned on ANY official web page of the TOX project.

• Not on https://github.com/irungentoo (VERY good place to publish the key id + fingerprint
• Not on https://github.com/irungentoo/toxcore/blob/master/README.md also a good place.

Instead I have to ask a public PGP key server for the UID and click my way though the web of trust.
That is a way I can easily do. But it is totally unnecessary complex. Publishing it on a only by the project team controlled place would be so much faster and its visibility would give the TOX team extra credibility in the eye of many people not familiar with verification process of the web of trust.

[cebe]

I want now do a BASIC verification of the PGP key that is used to sign the source package.
I google the key ID in the hope that the key ID is mentioned on ANY official web page.
But NO, this key isn't mentioned on ANY official web page of the TOX project.

• Not on https://github.com/irungentoo (VERY good place to publish the key id + fingerprint
• Not on https://github.com/irungentoo/toxcore/blob/master/README.md also a good place.

👍 keys should be on a website or the public profiles of people to allow quick checking.
A good example is the PHP website: http://php.net/downloads.php#gpg-7.1 listing all keys of people responsible of signing the releases.

[cebe]

Github Bio is a good place for that: e.g. https://github.com/cebe

[NicoHood]

Yes he is right. It should be listed somewhere and greyhatter should sign the key too, to give it more trust.

On AUR you should not simply trust the PKGBUILD file. However the maintainer is an official ArchLinux member, so you can trust him as you do for the packages you install from him.