On 2021-03-26 09:35:31 -0700 (-0700), Russ Allbery wrote: [...] > We do have a trusted timestamp for the point at which the upstream > tarball and signature were uploaded to the Debian archive, though, > so if the key had not yet expired at that point, I think we can > infer it wasn't expired when the signature was made. Speaking as someone who does this upstream (keeps a maximum one-year expiration on OpenPGP keys used for signing release artifacts and then extends them periodically) but also packages for Debian, it's always been my assumption that an upstream tarball/tag signature which was made with a key not expired at the time of upload into Debian should be considered safe, since otherwise both the original upstream key and Debian's archive signing keys would need to be compromised to effect a convincing post-hoc substitution of the source package. More likely, the attacker would only compromise the archive signing and then replace the debian/upstream/signing-key.asc with a different one under their control and sign the original source with that instead (or not even bother because, let's be honest, statistically speaking their targets are installing binary packages anyway and so the attacker couldn't care less about source package integrity). The primary benefit I see for debian/upstream/signing-key.asc files is that it's a record of what the package maintainer used to validate the source they uploaded, and it provides some record of whether there were changes in upstream signing practices (same key ID with a new expiration date? different key but the keyserver network contains keysigs for it from the previous one?). Actually verifying signatures made with it after the source package has appeared in the Debian archive seems to serve limited use. -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature