[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questioning debian/upstream/signing-key.asc

Timo Röhling <timo@gaussglocke.de> writes:
> * Russ Allbery <rra@debian.org> [2021-03-26 13:01]:

>> If this were the case, it would be fine to re-sign *.dsc files, but
>> there has been quite a lot of opposition to that in the past.  The
>> upstream signing key is at least as useful as the signature on the
>> *.dsc file, for exactly the same reasons.

> I do not understand this, but I am probably too new with Debian. Can you
> point me to a discussion about this?

I'm not sure that I completely understand either (and unfortunately am not
adept enough with our list archives to find the previous discussion), but
my understanding was that even though DAK had checked the validity of the
packages, people wanted the option to be able to go back to the original
signatures and recheck them.

One possible scenario in which that would be useful is recovering from a
compromise of the Debian archive, in which the archive signature may no
longer be trustworthy.

Thinking about this some more, I overstated the merits of having the
upstream signing key, since of course the *.dsc signature also covers the
upstream tarball.  I think it's only useful as documentation of the
validity of the upstream signature and for retrieving new upstream
tarballs, since the *.dsc signature establishes the validity of the
upstream tarball for that specific Debian package.

Apologies for the sloppy thinking on my part.

> You're right, I did conflate those two concepts too much. Let me try and
> rephrase. What I meant to convey was: there is no way to know when a
> signature was created except trusting what the signature itself says,
> because anyone who has control over the key can forge any date. That's
> fine, because in this context, the actual date of the signature doesn't
> really matter: the signature is meant to prevent an attacker from
> tampering with the source code, not to prove when exactly the release
> happened.

> Thus, there is no reason to stop trusting the signature after the key
> has expired, unless you assume that someone could have replaced the
> original source and forged a backdated signature, i.e. the key was
> compromised.

> I am making more sense now?

Yes, thank you, that makes sense.  And therefore if we have an external
dating source (such as the upload to the archive), we can know that the
signature was not backdated outside of that range, which in turn is
probably enough information to trust signatures from subsequently expired
keys, but the open question is whether we would ever care to validate the
signature at that point given that we could just use the *.dsc signature
from the Debian maintainer.

The only scenario in which I could see wanting to do that is if we wanted
to double-check whether the maintainer verified the upstream signature at
the time of upload (or if the upstream tarball was somehow tampered with
on the maintainer's system between the time they checked and the time they
uploaded the source package to the archive).

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>
Reply to: