Comment 7 for bug 410745

> If the attacker can break into Launchpad they can cause arbitrary packages to be signed by the existing key.

If that's the case, then I see why you said it wouldn't provide any security.

The way I *thought* it worked was that source packages uploaded to Launchpad have to be GPG-signed by an authorized person (i.e., the key signing the package must belong to one of the PPA's owners) before the resulting binary gets signed by the PPA key. Thus, the attacker would have to get himself on the PPA owners list, or get access to an owner's private key and passphrase, to get Trojaned packages signed.

But yeah, now that I think about it: if the attacker gets root on the system where the PPA's private keys are kept, he can cause them to sign any package he wants. (I assume the PPA private keys have no passphrase, since they're destined for use by a private script).

> Do you want me to do any checking before signing this key, or just go ahead and sign it now?

In signing a human's key, you want to verify two things: 1) identity (hence the face-to-face meeting and checking photo IDs at keysigning parties), and 2) that they do indeed control the private key part of the key you're about to sign (which you can check by getting a GPG-signed email from them).

Here, part 1) doesn't apply, so only part 2) needs to be checked. And a quick gpg --verify of the most recent Release.gpg file should be enough. That proves that Launchpad is still able to make good signatures and therefore that it controls the private key part of the key you're about to sign.

BTW, thanks for clarifying that that wasn't sarcastic. I wouldn't have taken it as such myself, but I can see how it might have been misread.