[Catalog-sig] [Draft] Package signing and verification process
Christian Heimes
christian at python.org
Wed Feb 6 11:57:37 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Am 05.02.2013 22:28, schrieb Zygmunt Krynicki:
>> * If we are trusting the fingerprint someone is sending us we
>> can trust the public key they are sending us, * Adds an extra
>> step to go from zero to releasing * Expecting the user to decrypt
>> the mail manually is kinda unfriendly
>
> It provides a guarantee that the user has access to the public and
> private keys and completes the email cycle. Launchpad.net has the
> same functionality built in.
Exactly! I modeled the workflow based on Launchpad's design. The extra
cycle helps the user to verify her setup. This aids users that are new
to GPG and signing, too.
> I get the feeling that we either put a lot of trust in the central
> authority (pypi) or we must conclude that peer-to-peer trust
> without automatic update methods is the only way that prevents us
> from some attacks.
My design has the benefit of enabling both levels of trust at the same
time:
1) An overtrustful user just has to trust PyPI's key. She checks
PyPI's signature of the package metadata + maintainer's signature to
verify that the maintainer was trusted by PyPI at the moment of the
upload. After that she verifies the uploader's signature of the file
WITHOUT verifying the uploader's key. The user doesn't trust the
uploader's key explicitly but rather trusts PyPI's simple key check.
2) A more paranoid user also needs to establish full trust of the
uploader's key (import and sign the key).
> I agree. I think that pypi should not have to be trusted. Real
> people trust other (few, limited) real people. We don't normally
> trust large bodies (corporations, groups) as that trust cannot be
> effective.
No, you have to trust PyPI on some degree. PyPI is *the* authority of
the relationship between users and projects. PyPI is the only entity
in process that can truly verify that a key holder was a project
maintainer at some given point in the past.
If you don't trust PyPI then you have to create and maintain your own
mapping of key fingerprints to projects.
Christian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCAAGBQJREjccAAoJEMeIxMHUVQ1FoKMP/30NW1Kc85ojv/SUfwzGNY7M
EQRlbY7MS98kaCio+o5Od2TEMSzjQtfdwZDhPVqsYZ6HEp17mkpruSjUHqFzPwPi
ru6+JP+Y7V7W5po6UB4ofCHix98IRoXNAPCoJtIxsjKqoLG26+5p/6Xx4UMWRhPj
Cc0ej4LuYVECpBYubE8PB0RVY/t35MN8nRUOs5DZ2W91xX73MBzV3/cmcW3faqUM
0cQO0Ag0EiVlw3RrY0nBPMKaaIRyGjQmC9sdG6ri4iLI8ONhzMYhyV1TPvkI8G2Q
QAUy2RYXqZkzdH5UEQEr7nvhtsYhXVpEs/gL6r/t9Bj6Ck33NzU5aEXURKjCKTy3
+h4ox5bzqbPH+7AU7hbPiuG57GOJiZ2RlnLn1lOyK804FZPM1R68yVvDGJc1nU9S
nPGfM6RhP3B7tGrrR3kRKUQXEPVsAF0Z+/0w5xXuDR6ftuD6ni/cUx4Fgw491IF+
4ruVkYdK4yZu8pH0opbDcQix4z0ITGuJ8m2zA5E3iruenKwyRIDBhtWYZfiu3V4v
2s9FO3Gcb7WkdQL/nZKZLk6PBwbXWkOZGDq5VYKlJ+Mbr9vPHZ7jgbDWXD61W0ZK
v65rLeS8LenINSbrmq3hPxW2ucZGJh3w/4mJMNZqgPsBvdhg0tvscLV/GNes9n+1
Bp0wDeG5vp/HvSLUmrTP
=LUCN
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list