Bug#1061153: ITP: sigsum-go -- tools for public and transparent logging of signed checksums

To: Holger Levsen <holger@layer-acht.org>
Cc: 1061153@bugs.debian.org
Subject: Bug#1061153: ITP: sigsum-go -- tools for public and transparent logging of signed checksums
From: Simon Josefsson <simon@josefsson.org>
Date: Mon, 22 Jan 2024 00:24:08 +0100
Message-id: <[🔎] 465BF3B2-9CD1-48A0-B9E0-269CCC838426@josefsson.org>
Reply-to: Simon Josefsson <simon@josefsson.org>, 1061153@bugs.debian.org
In-reply-to: <[🔎] Za1qxCPTV6whK_km@layer-acht.org>
References: <[🔎] Za1qxCPTV6whK_km@layer-acht.org> <[🔎] 875xzp473u.fsf@kaka.sjd.se>

> 21 jan. 2024 kl. 20:09 skrev Holger Levsen <holger@layer-acht.org>:
> 
> Hi Simon,
> 
>> On Fri, Jan 19, 2024 at 05:32:05PM +0100, Simon Josefsson wrote:
>> * URL             : https://git.glasklar.is/sigsum/core/sigsum-go
>>  Description     : tools for public and transparent logging of signed checksums
>> 
>> The goal of Sigsum is to provide building blocks that can be used to
>> enforce public logging of signed checksums.
> 
> do you think this would be a suitable tool to publically log all checksums of
> all Debian source and binary packages published?

Yes that would be nice. However I think we want multiple additional verification methods. The simplest augmentation would be to confirm that already existing signatures are recorded publicly via rekor. That doesn’t require any tooling or new private keys during signing, and help mitigate attackers ability to deny their actions. Cosign and sigsum are two next low hanging fruit but demand private key considerations. While publishers of packages (such as Trisquel or Debian) can be responsible for this, from the point of view of the consumer of packages, it would add more strength if a couple of external independent organizations vouch for the packages. I run one via the gitlab debdistutils project, but mirroring the ideas elsewhere would help. One key point is that any publishers packages’ aren’t trustworthy if they cannot be rebuilt from source and validated by a third party, and that third party should sign claims of what levels of verification were made, and users can pick a couple of entities to vouch for packages they install. Could the reproducible build project sign the packages you build and publish those signatures? I suggest using all three of GnuPG, sigsum-submit and cosign.

/Simin

> 
> 
> --
> cheers,
>    Holger
> 
> ⢀⣴⠾⠻⢶⣦⠀
> ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
> ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
> ⠈⠳⣄
> 
> Life may not be the party we hoped for, but while we're here we might as well
> dance!

Reply to:

References:
- Bug#1061153: ITP: sigsum-go -- tools for public and transparent logging of signed checksums
  - From: Holger Levsen <holger@layer-acht.org>
- Bug#1061153: ITP: sigsum-go -- tools for public and transparent logging of signed checksums
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Processed: tpb: proposed removal
Next by Date: Processed (with 1 error): your mail
Previous by thread: Bug#1061153: ITP: sigsum-go -- tools for public and transparent logging of signed checksums
Next by thread: Bug#921150: RFS: golang-github-arduino-go-paths-helper [ITP]
Index(es):
- Date
- Thread