[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

Matthew Palmer <mpalmer@debian.org> writes:

> On Fri, Nov 25, 2005 at 03:22:37PM +0100, Goswin von Brederlow wrote:
>> A signature in the deb by a random developer is as trustworthy as the
>> changes file and you already trust that. So we are going from snakeoil
>> to snakoil. No harm done.
> It's not the same, actually.  A signature in a .deb needs to be made by a
> key which is still trustworthy at the time of verification, which could be
> quite some time in the future.  The key which makes a .changes signature, in
> contrast, only *needs* to be valid at the time the upload is made -- if it
> is later compromised, it's not important, because by that time the archive
> signing key hsa taken over the role of integrity verification.

And there you have the big misconception.

The archive signing key gives absolutely no integrity ensurance on the
deb package. The only thing it insures is that the file was not
altered _after_ leaving ftp.de.debian.org for the mirrors and/or
user. In no way does it prevent altering the deb on ftp-master.

The chain of trust from the DD to the enduser is broken at that point
when the chnages file disapears into a non public place and the
Release.gpg takes over. Even worse the Release.gpg is signed with an
automatic key which I trust way less than a DDs key.

> Of course, using the signature on the .changes to verify the .debs
> independent from the archive at some later date is a nice side-benefit, but
> one which suffers from the same key-lifetime issues as in-deb signatures,
> and since the .changes from autobuilt uploads aren't publically available
> (apparently d-d-$arch-changes isn't archived, from info previously posted in
> this thread) that method of package authentication isn't going to be 100%
> reliable anyway.
> - Matt

The key-lifetime issue, as you say, is already there for the changes
files. It also already there for the dsc files. The deb signatures
don't change a thing there.

What they change is the availability of the signature. And that they
change to 100% for every signed deb (and we hope all debs gets igned
at some point).


Reply to: