[Catalog-sig] [Draft] Package signing and verification process

M.-A. Lemburg mal at egenix.com
Thu Feb 7 12:55:12 CET 2013 

On 07.02.2013 12:49, Giovanni Bajo wrote:
> Il giorno 07/feb/2013, alle ore 11:59, "M.-A. Lemburg" <mal at egenix.com> ha scritto:
> 
>> Sorry, if this has already been mentioned, but we could make GPG
>> signing very user friendly for the PyPI users by:
>>
>> - having the PyPI server verify the uploaded file against the
>>  registered GPG key of the uploader
>>
>> - have the PyPI server sign the uploaded file using its own
>>  key (so you have two .asc signature files per upload - one coming
>>  directly from the uploader and another one from the PyPI server)
>>
>> - have package managers verify the downloaded file against the
>>  signature applied by PyPI
>>
>> Package managers would only have to know the PyPI public key
>> for this to work.
>>
>> Users who want to apply an extra check, could also verify
>> the uploader's .asc signature file, but this would require
>> downloading and installing the uploader's GPG key; in return
>> for the extra work, they'd get two way verification, though.
>>
>> The concept is based on trust: PyPI trusts the uploader provided
>> that s/he is using the registered GPG key. Package managers (and
>> users) trust PyPI.
> 
> 
> This has been already proposed (first mail in this thread), but I still fail to see, from a security perspective, what the additional signature performed by PyPI buys us. It is complicated and delicate to handle on the server side, it would require key management, rotation, etc. and I still don't see what is the point.
>
> As long as PyPI tells the client "key ABCD1234 is authoritative for package django", and it tells it through a (verified) SSL connection, I don't think the signature itself is useful.
> 
> Can you please describe an attack that can be mounted against PyPI/pip that is prevented by having this additional signature?

This is not about preventing some kind of attack. It's to simplify
the setup for the user of PyPI (via the package manager).

The user will no longer have to install several tens or even
hundreds of different uploader GPG keys locally just to be able
to verify the downloads. Instead, just the PyPI key is needed.

I think that's important to not disrupt the PyPI user experience.

Additionally, as already mentioned by Lennart, all the GPG interaction
could be handled by the package managers.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Feb 07 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list