PPA GPG key needs more signatures

I'm not sure that signing it would really add much meaningful security: you get the key fingerprint from Launchpad, the same system (though not precisely the same machine) that makes the archive. So if you trust Launchpad to give you the packages, presumably you also trust it to tell you what key to use. If I sign the key, it won't signify anything more than that at some point in the past I also got that key from Launchpad.

Perhaps there's no harm in encouraging more people to sign it. You can sign it yourself!

On the other hand, some people feel signing keys without verifying the real human owner is bad, and in this case there is no human owner.

See also bug 328402.

Personally, I don't use the fingerprints shown by Launchpad as a way of verifying the keys. As you indirectly point out, if someone's managed to substitute his own key for the official PPA key on Launchpad's servers, it will dutifully hand me the fingerprint of the fake key. That's what GPG key signatures are designed for -- to provide a second source, via a different channel, of authenticating the key you just received.

Now, as you correctly point out, if I sign the PPA key, it adds little to the key's trust. You don't know me from Adam, and you have no particular reason to trust me. For all you know, I'm in cahoots with an attacker, knowingly signing a fake key in the hopes of fooling others into trusting it, downloading Trojaned software, and having their machines compromised.

What this hypothetical attacker can NOT do, though, is get the signatures of the Bazaar maintainers on his fake key. Their signature(s) on the PPA key would add a lot more trust. They're the ones creating the packages in the first place, so you're already trusting them with your computer's security when you install the packages they created. (In other words, if they're in cahoots with the hypothetical attacker, you've already been compromised). Therefore if they were to give their official "stamp of approval" on the PPA signing key by signing it with their own keys, I'd be confident that it's genuine.

Perhaps I'm being over-cautious here, guarding against a very improbable attack scenario. But the minute I type "sudo apt-key add XYZ", I'm allowing any package signed by key XYZ to be installed on my computer without any further prompting. Before I do that, I'd at least like to *know* that key XYZ wasn't created ten minutes ago by J. Random Hacker working in the basement lab of Dr. Evil's lair. :-) Checking the fingerprint provided by Launchpad can't prove that to me, but checking a GPG signature (or ten) by the member(s) of the official Bazaar team can prove it.

> What this hypothetical attacker can NOT do, though, is get the signatures of the Bazaar maintainers on his fake
> key. Their signature(s) on the PPA key would add a lot more trust. They're the ones creating the packages in the
> first place, so you're already trusting them with your computer's security when you install the packages they
> created. (In other words, if they're in cahoots with the hypothetical attacker, you've already been compromised).
> Therefore if they were to give their official "stamp of approval" on the PPA signing key by signing it with their own
>keys, I'd be confident that it's genuine.
The Bazaar maintainers don't create the package, some process on Launchpad does.

If some random hacker is able to list an invalid fingerprint on Launchpad (this would require compromising Launchpad) then I don't see why they wouldn't be able to compromise Launchpad's build system that creates the package and have that create malicious packages.

2009/8/10 Robin Munn <email address hidden>:
> Personally, I don't use the fingerprints shown by Launchpad as a way of
> verifying the keys. As you indirectly point out, if someone's managed to
> substitute his own key for the official PPA key on Launchpad's servers,
> it will dutifully hand me the fingerprint of the fake key.

If the attacker can break into Launchpad they can cause arbitrary
packages to be signed by the existing key.

> Checking the
> fingerprint provided by Launchpad can't prove that to me, but checking a
> GPG signature (or ten) by the member(s) of the official Bazaar team can
> prove it.

Do you want me to do any checking before signing this key, or just go
ahead and sign it now?

--
Martin <http://launchpad.net/~mbp/>

> Do you want me to do any checking before signing this key, or just go ahead and sign it now?

That wasn't meant to be as sarcastic as it may sound.

I can see that there is an apparent lack of security through the key being signed only by some random guy, and that it might be assuaged by the key having been signed by some developers.

On the other hand I am not convinced that's actually providing much more real security, and it may be papering over a problem in PPAs that would be better handled over there.

I was going to refer this to the Soyuz developers, but I'll actually do it on the list because this particular issue is not really their bug.

> If the attacker can break into Launchpad they can cause arbitrary packages to be signed by the existing key.

If that's the case, then I see why you said it wouldn't provide any security.

The way I *thought* it worked was that source packages uploaded to Launchpad have to be GPG-signed by an authorized person (i.e., the key signing the package must belong to one of the PPA's owners) before the resulting binary gets signed by the PPA key. Thus, the attacker would have to get himself on the PPA owners list, or get access to an owner's private key and passphrase, to get Trojaned packages signed.

But yeah, now that I think about it: if the attacker gets root on the system where the PPA's private keys are kept, he can cause them to sign any package he wants. (I assume the PPA private keys have no passphrase, since they're destined for use by a private script).

> Do you want me to do any checking before signing this key, or just go ahead and sign it now?

In signing a human's key, you want to verify two things: 1) identity (hence the face-to-face meeting and checking photo IDs at keysigning parties), and 2) that they do indeed control the private key part of the key you're about to sign (which you can check by getting a GPG-signed email from them).

Here, part 1) doesn't apply, so only part 2) needs to be checked. And a quick gpg --verify of the most recent Release.gpg file should be enough. That proves that Launchpad is still able to make good signatures and therefore that it controls the private key part of the key you're about to sign.

BTW, thanks for clarifying that that wasn't sarcastic. I wouldn't have taken it as such myself, but I can see how it might have been misread.

Hi Robin,

Sorry for getting back to this after so long. Do you still think it would help if the PPA GPG key was signed by bzr developers, and if so, why do you think this would provide more security?

Jelmer

[Expired for Bazaar because there has been no activity for 60 days.]