[Catalog-sig] How to verify cheeseshop signatures?

Phillip J. Eby pje at telecommunity.com
Sun Oct 23 21:16:39 CEST 2005

At 08:07 PM 10/23/2005 +0200, Martin v. Löwis wrote:
>Phillip J. Eby wrote:
>>Since as you've already pointed out, merely knowing that it's Richard 
>>Jones doesn't prove the code isn't malware, then it would suffice for the 
>>cheeseshop to certify that a particular public key belongs to the person 
>>who registered under a particular author ID.
>So the assumption is that the cheeseshop is trusted, right?
>If so, the gpg keyid gives you the guarantee that you want: that the
>package was really signed by the person of the particular author ID.

Right, but only at the same level that the cheeseshop-provided md5 is 
correct.  Assuming  that the cheeseshop download area is distinct from the 
cheeseshop application database, and one might be hacked but not the other, 
then keeping the information separate is more useful than storing it together.

(In this sense, the md5 could actually be considered more secure than the 
signature, since it comes from the database, not the download area.)

>>Mostly, I'm just feeling frustrated because this looks like an awful lot 
>>of tricky design work is needed to make this whole thing work for people 
>>who are not crypto experts.  (And by "crypto expert", I mean anybody who 
>>actually understands how to use GPG, which is to say, not me.  :) )
>Depends on what you mean by "to work". If you get the package from
>cheeseshop, you don't need to verify it, because the cheeseshop is
>trusted. If you get it elsewhere, how do you verify it?

By "to work", I mean something that provides users who are unconvinced by 
md5 (which easy_install already checks) with a comfortable illusion of a 
higher degree of security.  :)

I suppose it's relatively moot right now anyway, since there are so few 
signed packages.  I should probably just ignore the issue until there are 
enough of them to be meaningful, or until somebody with the necessary 
expertise can put forward a plan for integrating gpg support in 
easy_install.  (Which of course might not be until there are enough 
signatures for it to be worth having a more automated way to verify them.)

More information about the Catalog-sig mailing list