I too have direct experience working on many package managers specifically on the problem of package signing, and I would argue for a signing system to be useful, at a minimum every package needs to be signed by a key which is ultimately trusted by the end user
Conversation
...but then there’s this problem to consider: how to handle key rotation
1
1
For package signing, automatic rotation based on the old key signing a off on the rotation to a new key works well. Here's an example:
source.android.com/security/apksi
I don't understand making this out to be so hard when package signing is used at huge scales surprisingly successfully.
1
...and sure, it works great if you don’t give a fuck about the practical implications ¯\_(ツ)_/¯
2
1
I do care about the practical implications, and I also realize that a system doesn't need to perfect to mitigate many real attacks. Doing better than trust-on-first-use is hard but it can be built on top of a baseline implementation and isn't required to have lots of value.
1
Nearly every system boils down to some form of trust-on-first-use, like Domain Validation for HTTPS. That just delegates an insecure initial check to many completely trusted authorities and yet in practice it works pretty well, and is a whole lot better than just using HTTP.
1
It doesn't need to be a perfect system to have a lot of value and mitigate many real world attacks. Security nihilism is such a lazy position. I think having TOFU with fingerprints pinned alongside versions is the *least* that people should expect from language package managers.
1
The bar for Linux package signing is considerably higher. I have my choice in Linux distributions and I’ll take one with a central builder/signer. The Arch Linux “solution” sounds rather, what’s the word... clownshoes.
1
Most Linux distributions fully trust the packagers and a central build / signing server, along with not verifying signatures for sources. I think you're unfamiliar with how it works elsewhere if you think trusting 20 vetted people to sign builds of packages is bad.
2
Having a central build / signing server doesn't mean a developer wasn't also fully trusted with what they told the server to build, without anyone reviewing what they asked it to build. It's usually not the case that a central build server is trusted *instead* of developers.
We're not at the point that there are fully reproducible builds across the board and a requirement of having multiple signatures asserting that the build matches the sources. Distributions rarely even verify the sources in the small subset of cases where signatures are available.
I will take a central builder/signer over a bunch of TOFU signing keys for signing random binary blobs who knows built who knows how on who knows what, thank you very much
2
I never said Arch Linux used TOFU signing keys or that it's unknown who built what and who is trusted.
1
Show replies