Signing the release tarballs

[Sven Eckelmann]

Hi,

Would it be possible to get signatures for the (future?) source tarballs (I am
personally mostly interested in the modular source tarballs)? The idea is to
allow distributions to check the integrity and authenticity of tarballs.

In the past numerous file distribution servers were attacked [1,2,3,4,5,6] and
the attacker replaced a release tarball/zip with a modificated version
including a backdoor. Usually the distributions use some kind of signatures to
avoid such an attack against their own infrastructure but this doesn't include
the initial retrieval of the source code from upstream (usually done through
the tarballs).

In the near future Debian/Ubuntu/... will get support [7] in uscan to check a
tarball+.asc signature automatically against a predefined set of public keys
stored in the .debian.tar.gz. It also looks like some people in Arch Linux are
also interested in this problem [8].

Upstream would have to provide a detached, armored signature next to the
tarball. Many people are already distributing something like this but not
everybody.

This can easily be generated using

gpg --detach-sign --armor mupen64plus-core-src-2.0.tar.gz

Of course, this doesn't help against replay attacks (attacker replaces a new
version tarball and the signature with an older version which includes a
security hole). But this can usually be detected by the packager when checking
the upstream changelog and version number.

I have no idea what opinion each maintainer has about GnuPG/PGP but asking
doesn't hurt anyone and it seemed to be a good time because the big 2.0
release is knocking on the door.

And just for anyone thinking about creating a GPG signature key [9]: Please
keep in mind that a weak signature algorithm doesn't help anyone.

Kind regards,
Sven

[1] http://sourceforge.net/blog/phpmyadmin-back-door/
[2] http://forums.unrealircd.com/viewtopic.php?t=6562
[3] https://forums.proftpd.org/smf/index.php?topic=5206.0
[4] http://h-online.com/-913588
[5] http://lwn.net/Articles/450181/
[6] http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/
[7] http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commit;h=e82313c718b7bc8b884a2617081c6638d88af37b
[8] http://allanmcrae.com/2012/04/how-secure-is-the-source-code/
[9] http://keyring.debian.org/creating-key.html

[Dorian FEVRIER]

Even if I'm not "concerned" by this, it's an interesting read, thank you. :)

---

De : Sven Eckelmann <sv...@narfation.org>
À : Richard 'Richard42' Goedeken <Ric...@fascinationsoftware.com>; Jon 'wahrhaft' Ring <wahr...@gmail.com>; Marianne 'Auria' Gagnon <auri...@gmail.com>; Milan Nikolic <gen2...@gmail.com>
Cc : mupen...@googlegroups.com
Envoyé le : Vendredi 7 juin 2013 18h54
Objet : [mupen64plus] Signing the release tarballs

[Richard Goedeken]

I'm willing to sign the source module archives. Do I need to post or send my
public key somewhere?

Richard

[Sven Eckelmann]

On Friday 07 June 2013 21:47:26 Richard Goedeken wrote:
> I'm willing to sign the source module archives. Do I need to post or send
> my public key somewhere?

To make checking possible for the public, it would need to be public
available. This is usually done through a keyserver (see the last step in the
Debian example [1]). Not doing it is mostly useless because you have to upload
the key somewhere and somebody can just download it from their and upload it
to a keyserver (even on accident).

It would be nice when you post the fingerprint of the key here so I can
include it in the Debian package. I will not sign it with my key because I
couldn't check your identity in person using a document which I except. But I
will do the recommended checks by OpenSUSE before including it in the package.
The identity check is not needed for the package because the package will only
need to check whether the same key always signs the releases (and cross the
finger that his private key wasn't public available or otherwise compromised).

Kind regards,
Sven

[1] http://keyring.debian.org/creating-key.html

[Sven Eckelmann]

Hi wahrhaft, Auria, gen2brain,

On Friday 07 June 2013 18:54:12 Sven Eckelmann wrote:
> Would it be possible to get signatures for the (future?) source tarballs (I
> am personally mostly interested in the modular source tarballs)? The idea
> is to allow distributions to check the integrity and authenticity of
> tarballs.

[....]

any reactions/questions/answers/... from the other maintainers?

Kind regards,
Sven

[mmg]

Hi,

I can sign but something remains unclear to me, probably because I'm
not familiar with the packaging process : do you have a key server, or
you're just collecting the public keys?

-- Auria

[Sven Eckelmann]

On Sunday 23 June 2013 17:00:26 mmg wrote:
> Hi,
>
> I can sign but something remains unclear to me, probably because I'm
> not familiar with the packaging process : do you have a key server, or
> you're just collecting the public keys?

The packagers will "collect" (retreived for example through a keyserver) the
public keys and store them in a keyring associated with the package. Just
comparing a signature with public keys from a keyserver doesn't help much
because an attacked could just sign a tarball with a faked/own key and replace
the old signature.

Kind regards,
Sven

[Richard Goedeken]

Sven,

I have uploaded a source tarball for each of the released Mupen64Plus v2.0
modules into its Bitbucket repo's downloads page. I have also uploaded the
signature for each module to the same place. The fingerprint for my key is:

pub 4096R/5BB226F5 2013-07-05
Key fingerprint = F5E3 020D AFE2 C894 4087 954F 81B0 94AA 5BB2 26F5
uid Richard Goedeken <Ric...@fascinationsoftware.com>
sub 4096R/39B7A3A3 2013-07-05

Regards,

Richard

On 06/07/2013 09:54 AM, Sven Eckelmann wrote:

[Milan]

Hi,

I have uploaded new release and signature for source tarball.

My key fingerprint:

pub   4096R/A3AA4E75 2013-09-28

      Key fingerprint = 89EC A655 5E7D 1BB0 3089  1FBF 9229 D0EA A3AA 4E75

uid                  Milan Nikolic <gen2...@gmail.com>