On 17/08/2019 12:18, Elmar Stellnberger wrote:
to be safe the key handling policy needs to be offline enforced
There have been various attempts to encourage / simplify the use of
offline keys, but it isn't currently required in Debian, and some of
them only suggest keeping the master key (not the signing subkey,
which is enough to upload packages) offline.
(non-trust warning: these are anyone-can-post areas)
https://wiki.debian.org/GnuPG
https://wiki.debian.org/OpenPGP/CleanRoomLiveEnvironment
https://lists.debian.org/debian-project/2017/08/threads.html#00011
Also, firmware attacks can reach offline keys.
However:
Intelligence can not spoof all downloads - there is always a certain
percentage of downloads which get the original data; i.e. they only
spoof the download if they know who is downloading.
Individual developers' keys are used to protect uploads (from that
developer to the Debian archive), but downloads (from that archive to
a user, i.e. apt upgrade/install) are protected by a tree of hashes
signed by the archive's own key (see /var/lib/apt/lists).
Hence, stealing an individual developer's key doesn't let an attacker
target specific people; it does let them upload as that developer, but
if they do, *everyone* sees their version of that package. As you
note, this makes them more likely to be caught.
To get a malware package to only a specific person, they would need
either a stolen *archive* key, or a bug/backdoor in apt that makes it
accept signatures it shouldn't.
Proposal to keep a log of the official hashes, which would allow the
target of such an attack to prove it was an attack:
https://debconf19.debconf.org/talks/66-software-transparency-improving-package-manager-security/