Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it?

X-seq: zsh-workers 46229
From: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
To: vapnik spaknik <vapniks@xxxxxxxxx>
Subject: Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it?
Date: Fri, 10 Jul 2020 23:49:22 +0000
Cc: zsh-workers@xxxxxxx
In-reply-to: <1130466066.9798.1594417647695@mail.yahoo.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <1130466066.9798.1594417647695.ref@mail.yahoo.com> <1130466066.9798.1594417647695@mail.yahoo.com>
Sender: zsh-workers@xxxxxxx

vapnik spaknik wrote on Fri, 10 Jul 2020 21:47 +0000:
> Hi,
>     the zsh tarballs available on sourceforge & zsh.org are signed by "dana@xxxxxxx", but this key has no chain of trust associated with it, only self signatures. How do I know that "dana" is trustworthy, and hasn't hidden some malicious code in the tarball? I can see "dana@xxxxxxx" listed in the ChangeLog, but that's not much reassurance (it could have been achieved with a simple search-replace).

You can compare the git tag to the tarball.  They should be identical,
other than some generated files.

You can also look up the various distro packages of zsh.  Those
packages are signed, and the distro maintainers should have solved this
problem before building and signing their packages.

For example, from the Debian package's repository:

https://salsa.debian.org/debian/zsh/commit/14d262602341f1a2d69aa9149a331d047851ef55
>> I retrieved the key with `gpg --recv-keys 7CA7ECAAF06216B90F894146ACF8146CAE8CBBC4`,
>> where the hash value was obtained by pulling upstream's zsh-web.git over an SSH
>> remote and inspecting Arc/source.html in the resulting clone.

That's how Debian established trust in dana's key.  (It's worth noting
that I wrote that log message, and I'm the one who set up dana's
release manager's upload access, so I had additional, out-of-band
reasons to trust.)

I didn't actually sign that specific commit — in hindsight, that
wouldn't have been a bad idea — but it's contained in the subsequent
«debian/5.7.1-test-3-1» tag, which is PGP-signed by a WoT-connected
individual.

(And I'm not signing *this* email because it's past midnight and I
don't have the brainwidth to re-verify that fingerprint right now)

[Arc/source.html is public at
http://zsh.sourceforge.net/Arc/source.html, as is zsh-web.git via
https://sf.net/projects/zsh]

> Considering how fundamental and frequently used zsh is, I think it's very important that we can trust the tarball, don't you?

Sure.

Note that key pinning is a partial answer: now that dana has RM'd a
stable release, verifying the next release comes from the same key will
provide a non-trivial guarantee.

> Here's a suggestion for some of the long term developers; why not contact each other by email and arrange a video conference to get to know each other a little bit, and sign each others public gpg keys?

I suppose I could verify dana's identity using
https://www.rants.org/2009/11/instant-answer-protocol/ (real-time
questions/answers + verify push access) and sign her key on that basis,
but I don't know when she and I would both have time.

Agreed it'd be a good thing.  Thanks for raising this.

Cheers,

Daniel

P.S.  (I'm replying to emails out of order, so to those who sent me
offlist emails and haven't seen a reply yet, you're not forgotten :))

Follow-Ups:
- Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it?
  - From: dana

References:
- gpg key used to sign zsh tarball has no trusted signatures so how can I trust it?
  - From: vapnik spaknik

Messages sorted by: Reverse Date, Date, Thread, Author