[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1061555: apt: augment signature verification for key-usage transparency (Sigstore/Sigsum)



Package: apt
Severity: wishlist

I believe it would be nice if apt could verify signatures from Sigstore
cosign and/or verify Sigsum proofs, to augment the current PGP-based
signature verification.

While this can be handled outside of apt's awareness, it would also be
possible for apt to support improved signature verification in-band.

I'm interested in exploring any approach that leads to improved
signature verification offering similar functionality as
Sigstore/Sigsum, and offer to help work on this.

To get the design process started on the in-band approach: one proposal
is to extend the InRelease and Release.gpg file formats with additional
information needed for Sigstore and Sigsum.

After the PGP signature in InRelease and Release.gpg, you could include
additional sections.  For Sigstore cosign:

-----BEGIN SIGSTORE COSIGN-----
MEUCIQDz6ggeNw3FXj6TRZajQYUaVce6Wbw5++Pl+fLuwChejwIgJ0ZUbS+Gtyd/PTlLu5Yw7mI7EJtFbmGJ2ucKTjeEA+M=
-----END SIGSTORE COSIGN-----

For Sigsum proofs:

-----BEGIN SIGSUM PROOF-----
version=1
log=5955bfe2150ee2e667c4e418228f9ee89835d6990248aad9b39c0e2120c1b022
leaf=7244
4f313845ab7b7bc4592e437869e838fcccef45b402bd970f8aa2628ec17ef5cf
e1f43026d9bf03ee21bb87db59f34593ec8c5f5a32abbbdeab23c24083f6078f5cc731e2a44ac66ac251640e850d69a94b1810012ca062b760a9cdf477e68a0a

size=21
root_hash=40574f3463b822fddaeed6cd6fd286b2c1229eb6059e27f127488b9625e299b7
signature=d9c19494a30c20c390967d8c8de452876a82559a26ee159d18d35081b701b610b6fb614ccb59644ba01e70bacd3a5ae6dad420235a30d7f5119857d68306fb02
cosignature=70b861a010f25030de6ff6a5267e0b951e70c04b20ba4a3ce41e7fba7b9b7dfc
1705693592
e51006f8f8d5415add21d24c4f5f2e1f6231030c70ba7a78f69aebaf2162c16627dbd6c461f8b71351281475d1ffc4cd8ff110df62cdc349a99faf0558de3705

leaf_index=20
node_hash=ee51a73cedb8d27e4b50359dad5be1f76f667134fef55b9d80c63fb80bbdb95e
node_hash=7b7f715c37c43a50164f585ba31c111e409074cc8a8dc8f51415587efff3dc57
-----END SIGSUM PROOF-----

The parser needs to understand each format, and pass it to the
respectively verifier somehow, and it has to ignore unknown data.

The outcome of the verifier should be possible to configure to print a
warning message or to refuse to use the file completely.

Managing trust settings can be done by putting Sigsum cosign keys under
/etc/apt/trusted.sigstore.d/ and putting Sigsum policy files under
/etc/apt/trusted.sigsum.d/.

Verifiers for Sigstore and Sigsum brings in additional packages
dependencies, so I don't think this should be added to the default 'apt'
package.  There could be a separate package 'apt-sigstore' that Depends:
on the required dependencies, and enable verification behaviour, and a
'apt-sigsum' package that would work the same way.  The normal 'apt'
package could Suggest or Recommends these packages.

Thoughts?

/Simon

Attachment: signature.asc
Description: PGP signature


Reply to: