Sourcecode isn't PGP signed #720
Labels
No Label
bug
build
dependencies
developers
documentation
duplicate
enhancement
formatting
invalid
legal
mobile
obsolete
packaging
performance
protocol
question
refactoring
regression
security
test
translation
usability
wontfix
No Milestone
No project
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Bitmessage/PyBitmessage-2024-12-17#720
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I noticed that neither tags nor commits are PGP signed. This really needs to be fixed - right now bitmessage users are trusting github. Bitcoin Core now signs both tags and individual git commits; Signing tags is pretty simple, just use the -s flag with git tag. As for git commits, Wladimir wrote up a good description of how to do this here: https://www.mail-archive.com/bitcoin-development%40lists.sourceforge.net/msg05467.html
👍
Just noting that #108 is already open requesting that release tags are signed.
Tags ok. Commits are a problem for me, because I mostly develop on a machine that does not have access to this repository (or anything that I need to keep secure, such as PGP keys). Also, I use Github Deskop there, and that does not support PGP. I commit to a separate repository, https://github.com/mailchuck/PyBitmessage
Then I use this account, on a different machine, to merge it (or I will once I start merging, I just got write access to this repository a couple of days ago). As far as I understand, you can't sign a merge.
If you have a recommendation about how to work around this, let me know.
You can sign a merge! Use the -S option if you're doing it through git merge; if you're merging a github pull-req a good tool is Bitcoin Core's github-merge.sh script, which is used on Bitcoin Core for every pull.
One good thing about PGP sigs is it forces you to ask how secure is your control of source code? Developing on another machine is fine, but do you think you actually check that code hasn't been modified on that machine? Would you ever notice? There aren't good solutions to many of these problems (yet) but at least with PGP sigs you stand a better chance of figuring out what went wrong after a hack happens.
Just to make clear, I'm far from opposed to PGP signing commits. I already looked at it a couple of days ago but couldn't figure out how to do with on Github Desktop. Now I looked at it again, and I found that it still has the ability to create a git shell (and I already have gpg installed on the machine). I created a new key for the address associated with the github account, signed the latest (unpushed) commit with --amend, and then checked it it out from another machine. It looks ok. Can you perhaps check it out too? I posted the link to the development repository above. This is what it looks like for me:
Maybe you need to wait for the key to propagate.
I now successfully tested that I can decrypt emails sent to dev@mailchuck.com. I'll do the same for the other account. It's a bit of a hassle as I need to manually copy&paste, but integrating GPG with PyBitmessage is a long term plan.
You could/should get a GnuPG Card with the Gemalto USB. It took about 5 days to receive mine. An alternative is the Yubico card, but I've not used it.
You won't have to worry about your private key security.
Key security is only a part of the problem, I still need to access the project website, for example. But I'm not saying no.
In the meantime, I found out that github now supports U2F. So, I ordered a Yubikey Neo, which supports both U2F and OpenPGP smartcard interface (up to 2048bit RSA). This will solve my worries about security. I now sign all the commits and I provided PGP signatures for the binaries of the 0.5.0 release of my fork. I screwed up on signing the tag itself but I'll get it right next time. I asked Jonathan to sign his commits too (he has PGP working already so it should be easy). So I consider this issue resolved.
Just an update.
First of all, I figured out how to sign tags, and the latest tag in my fork, https://github.com/mailchuck/PyBitmessage/releases/tag/v0.5.1 , is signed.
I also got the Yubikey today, created a new PGP key and revoked the old one. As far as I know, the old one hasn't been compromised, but don't use it anymore. The new key has the keyid B5F37D87 and the fingerprint is 52C9 7EBC 095A 2C08 63C0 98C8 0C5F 50C0 B5F3 7D87, and you can find it on the keyservers. It's valid both for the "mailchuck" and "PeterSurda" github accounts and for both email addresses as well. Over time I'll discontinue this github account ("mailchuck") and only use "PeterSurda".
Thanks guys! Signatures check out here.
Next step is get yourself into the web-of-trust and get someone to sign your keys, but just having sigs at all is a really big help as you can easily compare it against prior releases.