[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questioning debian/upstream/signing-key.asc

On 2021-03-26 09:35:31 -0700 (-0700), Russ Allbery wrote:
> We do have a trusted timestamp for the point at which the upstream
> tarball and signature were uploaded to the Debian archive, though,
> so if the key had not yet expired at that point, I think we can
> infer it wasn't expired when the signature was made.

Speaking as someone who does this upstream (keeps a maximum one-year
expiration on OpenPGP keys used for signing release artifacts and
then extends them periodically) but also packages for Debian, it's
always been my assumption that an upstream tarball/tag signature
which was made with a key not expired at the time of upload into
Debian should be considered safe, since otherwise both the original
upstream key and Debian's archive signing keys would need to be
compromised to effect a convincing post-hoc substitution of the
source package. More likely, the attacker would only compromise the
archive signing and then replace the debian/upstream/signing-key.asc
with a different one under their control and sign the original
source with that instead (or not even bother because, let's be
honest, statistically speaking their targets are installing binary
packages anyway and so the attacker couldn't care less about source
package integrity).

The primary benefit I see for debian/upstream/signing-key.asc files
is that it's a record of what the package maintainer used to
validate the source they uploaded, and it provides some record of
whether there were changes in upstream signing practices (same key
ID with a new expiration date? different key but the keyserver
network contains keysigs for it from the previous one?). Actually
verifying signatures made with it after the source package has
appeared in the Debian archive seems to serve limited use.
Jeremy Stanley

Attachment: signature.asc
Description: PGP signature

Reply to: