Sourcecode isn't PGP signed #720

New Issue

2014-09-22T05:01:26+02:00

petertodd commented

2014-09-22 05:01:26 +02:00

(Migrated from github.com)

I noticed that neither tags nor commits are PGP signed. This really needs to be fixed - right now bitmessage users are trusting github. Bitcoin Core now signs both tags and individual git commits; Signing tags is pretty simple, just use the -s flag with git tag. As for git commits, Wladimir wrote up a good description of how to do this here: https://www.mail-archive.com/bitcoin-development%40lists.sourceforge.net/msg05467.html

grant-olson commented

2014-10-14 21:04:06 +02:00

(Migrated from github.com)

👍

Just noting that #108 is already open requesting that release tags are signed.

:+1: Just noting that #108 is already open requesting that release tags are signed.

PeterSurda commented

2015-10-18 13:28:09 +02:00

(Migrated from github.com)

Tags ok. Commits are a problem for me, because I mostly develop on a machine that does not have access to this repository (or anything that I need to keep secure, such as PGP keys). Also, I use Github Deskop there, and that does not support PGP. I commit to a separate repository, https://github.com/mailchuck/PyBitmessage

Then I use this account, on a different machine, to merge it (or I will once I start merging, I just got write access to this repository a couple of days ago). As far as I understand, you can't sign a merge.

If you have a recommendation about how to work around this, let me know.

Tags ok. Commits are a problem for me, because I mostly develop on a machine that does not have access to this repository (or anything that I need to keep secure, such as PGP keys). Also, I use Github Deskop there, and that does not support PGP. I commit to a separate repository, https://github.com/mailchuck/PyBitmessage Then I use this account, on a different machine, to merge it (or I will once I start merging, I just got write access to this repository a couple of days ago). As far as I understand, you can't sign a merge. If you have a recommendation about how to work around this, let me know.

petertodd commented

2015-10-18 14:14:31 +02:00

(Migrated from github.com)

You can sign a merge! Use the -S option if you're doing it through git merge; if you're merging a github pull-req a good tool is Bitcoin Core's github-merge.sh script, which is used on Bitcoin Core for every pull.

One good thing about PGP sigs is it forces you to ask how secure is your control of source code? Developing on another machine is fine, but do you think you actually check that code hasn't been modified on that machine? Would you ever notice? There aren't good solutions to many of these problems (yet) but at least with PGP sigs you stand a better chance of figuring out what went wrong after a hack happens.

You can sign a merge! Use the -S option if you're doing it through git merge; if you're merging a github pull-req a good tool is Bitcoin Core's [github-merge.sh](https://github.com/bitcoin/bitcoin/blob/master/contrib/devtools/github-merge.sh) script, which is used on Bitcoin Core for every pull. One good thing about PGP sigs is it forces you to ask how secure is your control of source code? Developing on another machine is fine, but do you think you actually check that code hasn't been modified on that machine? Would you ever notice? There aren't good solutions to many of these problems (yet) but at least with PGP sigs you stand a better chance of figuring out what went wrong after a hack happens.

PeterSurda commented

2015-10-18 15:04:26 +02:00

(Migrated from github.com)

Just to make clear, I'm far from opposed to PGP signing commits. I already looked at it a couple of days ago but couldn't figure out how to do with on Github Desktop. Now I looked at it again, and I found that it still has the ability to create a git shell (and I already have gpg installed on the machine). I created a new key for the address associated with the github account, signed the latest (unpushed) commit with --amend, and then checked it it out from another machine. It looks ok. Can you perhaps check it out too? I posted the link to the development repository above. This is what it looks like for me:

commit dad14b0cb8dc61537db69de17257775d7830c70e
gpg: Signature made Son 18 Okt 2015 14:52:09 CEST using RSA key ID 53FBF089
gpg: Good signature from "Peter Surda (mailchuck) <dev@mailchuck.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BFEA 5E1F 78D9 8CA7 9C2C  B185 B631 1FA7 53FB F089
Author: mailchuck <dev@mailchuck.com>
Date:   Sat Oct 17 17:11:40 2015 +0200

    Bump up version

Maybe you need to wait for the key to propagate.

Just to make clear, I'm far from opposed to PGP signing commits. I already looked at it a couple of days ago but couldn't figure out how to do with on Github Desktop. Now I looked at it again, and I found that it still has the ability to create a git shell (and I already have gpg installed on the machine). I created a new key for the address associated with the github account, signed the latest (unpushed) commit with --amend, and then checked it it out from another machine. It looks ok. Can you perhaps check it out too? I posted the link to the development repository above. This is what it looks like for me: ``` commit dad14b0cb8dc61537db69de17257775d7830c70e gpg: Signature made Son 18 Okt 2015 14:52:09 CEST using RSA key ID 53FBF089 gpg: Good signature from "Peter Surda (mailchuck) <dev@mailchuck.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BFEA 5E1F 78D9 8CA7 9C2C B185 B631 1FA7 53FB F089 Author: mailchuck <dev@mailchuck.com> Date: Sat Oct 17 17:11:40 2015 +0200 Bump up version ``` Maybe you need to wait for the key to propagate.

mailchuck commented

2015-10-18 21:22:00 +02:00

(Migrated from github.com)

I now successfully tested that I can decrypt emails sent to dev@mailchuck.com. I'll do the same for the other account. It's a bit of a hassle as I need to manually copy&paste, but integrating GPG with PyBitmessage is a long term plan.

zariok commented

2015-10-23 04:08:57 +02:00

(Migrated from github.com)

You could/should get a GnuPG Card with the Gemalto USB. It took about 5 days to receive mine. An alternative is the Yubico card, but I've not used it.

You won't have to worry about your private key security.

You could/should get a [GnuPG Card](http://shop.kernelconcepts.de/) with the Gemalto USB. It took about 5 days to receive mine. An alternative is the Yubico card, but I've not used it. You won't have to worry about your private key security.

mailchuck commented

2015-10-23 06:51:31 +02:00

(Migrated from github.com)

Key security is only a part of the problem, I still need to access the project website, for example. But I'm not saying no.

PeterSurda commented

2015-10-29 15:34:35 +01:00

(Migrated from github.com)

In the meantime, I found out that github now supports U2F. So, I ordered a Yubikey Neo, which supports both U2F and OpenPGP smartcard interface (up to 2048bit RSA). This will solve my worries about security. I now sign all the commits and I provided PGP signatures for the binaries of the 0.5.0 release of my fork. I screwed up on signing the tag itself but I'll get it right next time. I asked Jonathan to sign his commits too (he has PGP working already so it should be easy). So I consider this issue resolved.

In the meantime, I found out that [github now supports U2F](https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication). So, I ordered a [Yubikey Neo](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/), which supports both U2F and OpenPGP smartcard interface (up to 2048bit RSA). This will solve my worries about security. I now sign all the commits and I provided PGP signatures for the [binaries of the 0.5.0 release of my fork](https://github.com/mailchuck/PyBitmessage/releases/tag/v0.5.0). I screwed up on signing the tag itself but I'll get it right next time. I asked Jonathan to sign his commits too (he has PGP working already so it should be easy). So I consider this issue resolved.

mailchuck commented

2015-11-03 21:36:19 +01:00

(Migrated from github.com)

Just an update.

First of all, I figured out how to sign tags, and the latest tag in my fork, https://github.com/mailchuck/PyBitmessage/releases/tag/v0.5.1 , is signed.

I also got the Yubikey today, created a new PGP key and revoked the old one. As far as I know, the old one hasn't been compromised, but don't use it anymore. The new key has the keyid B5F37D87 and the fingerprint is 52C9 7EBC 095A 2C08 63C0 98C8 0C5F 50C0 B5F3 7D87, and you can find it on the keyservers. It's valid both for the "mailchuck" and "PeterSurda" github accounts and for both email addresses as well. Over time I'll discontinue this github account ("mailchuck") and only use "PeterSurda".

Just an update. First of all, I figured out how to sign tags, and the latest tag in my fork, https://github.com/mailchuck/PyBitmessage/releases/tag/v0.5.1 , is signed. I also got the Yubikey today, created a new PGP key and revoked the old one. As far as I know, the old one hasn't been compromised, but don't use it anymore. The new key has the keyid B5F37D87 and the fingerprint is 52C9 7EBC 095A 2C08 63C0 98C8 0C5F 50C0 B5F3 7D87, and you can find it on the keyservers. It's valid both for the "mailchuck" and "PeterSurda" github accounts and for both email addresses as well. Over time I'll discontinue this github account ("mailchuck") and only use "PeterSurda".

petertodd commented

2015-11-10 21:04:37 +01:00

(Migrated from github.com)

Thanks guys! Signatures check out here.

Next step is get yourself into the web-of-trust and get someone to sign your keys, but just having sigs at all is a really big help as you can easily compare it against prior releases.

Thanks guys! Signatures check out here. Next step is get yourself into the web-of-trust and get someone to sign your keys, but just having sigs at all is a really big help as you can easily compare it against prior releases.

This repo is archived. You cannot comment on issues.