[Catalog-sig] How to verify cheeseshop signatures?

"Martin v. Löwis" martin at v.loewis.de
Sun Oct 23 19:20:21 CEST 2005

Phillip J. Eby wrote:
> If you have to meet individual authors to validate them, you could just 
> get the package from them in person and skip all the certificate crap.  :)

You don't: you just need to know somebody who knows somebody...
It's a web of trust.

Also, I met Richard Jones only once, and can still verify the packages
that he created after that meeting.

> Well, the flip side is having no real security at all, if you just 
> decide to trust each author individually.  In effect, the whole thing 
> becomes just a "warm fuzzy" pseudosecurity, not unlike airline screening 
> procedures.

Code-signing *is* just warm fuzzy pseudosecurity. Even if I knew that
the code really came from Richard Jones, how would I know to trust him
that he isn't writing malware? If I have never heard of an author,
what does it help me to know that he really is the author?

> The sucky bit is that my choices are now to work hard to integrate this 
> with EasyInstall, and then have crypto experts complain that by making 
> it actually work for people I've nullified the real security (which will 
> be true, of course), or in the alternative I can just not support it, in 
> which case people will gripe that it doesn't verify signatures.  *sigh*

There is still a value in verifying the signatures: you can trust that
the package really hasn't been tampered with after it got signed. When
you found the key on the keyserver, you can also display the name
on the key, and optionally the list of signers of that key. It is then
up to the user to trust (you could use the user's gpg trust database
to skip this step if the signer is found to be trusted).

When you have package dependencies, the using package could include the
key fingerprint of the expected signer of the used package. A user would
then only have to trust the "topmost" package author, to not include
malware in its own package, and to have verified the signer of the
lower packages for both identity and moral trustworthiness.


More information about the Catalog-sig mailing list