Am 25.10.2016 um 16:07 schrieb Osamu Aoki: Hi Osamu,
> This is very interesting report. I did not implement this feature so it > is a learning experience for me. Please be patient. > >> When there is one signature of a key not listed in >> debian/upstream/signing-key.asc a validation warning is thrown. > > This sounds good to me. > >> asterisk$ uscan >> uscan: Newest version of asterisk on remote site is 13.11.2, local >> version is 13.10.0~dfsg >> (mangled local version is 13.10.0) >> uscan: => Newer package available from >> >> http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz >> gpgv: Signature made Fri 09 Sep 2016 06:18:48 PM CEST >> gpgv: using RSA key 368AB332B59975F3 >> gpgv: Good signature from "George Joseph <gjos...@digium.com>" >> gpgv: Signature made Fri 09 Sep 2016 06:26:07 PM CEST >> gpgv: using DSA key 9C59F000777DCC45 >> gpgv: Good signature from "Kevin Harwell <kharw...@digium.com>" >> gpgv: Signature made Fri 09 Sep 2016 07:22:47 PM CEST >> gpgv: using DSA key 6CB44E557BD982D8 >> gpgv: Good signature from "Richard Mudgett <rmudg...@digium.com>" >> gpgv: Signature made Fri 09 Sep 2016 07:41:46 PM CEST >> gpgv: using DSA key 8438CBA18D0CAA72 >> gpgv: Can't check signature: No public key >> uscan warn: OpenPGP signature did not verify. >> >> In this case d/u/signing-key.asc contains >> >> asterisk$ gpg --import < debian/upstream/signing-key.asc >> gpg: key DAB29B236B940F89: public key "Joshua Colp <jc...@joshua-colp.com>" >> imported >> gpg: key 9C59F000777DCC45: public key "Kevin Harwell <kharw...@digium.com>" >> imported >> gpg: key 6CB44E557BD982D8: public key "Richard Mudgett >> <rmudg...@digium.com>" imported >> gpg: key 368AB332B59975F3: public key "George Joseph <gjos...@digium.com>" >> imported >> gpg: Total number processed: 4 >> gpg: imported: 4 >> >> DAB29B236B940F89 is in signing-key.asc but there is no signature, and >> there is an additional signature from 8438CBA18D0CAA72 > > You can check 8438CBA18D0CAA72 key using the web of trust. Then you can > check signature manually. As for gbp, you can use "gbp import-orig > ...". Then you can go on life... True, but at least for Asterisk there is no authoritative list of signing keys, so whenever a new key appears you have to do some manual checking for the sanity. >> IMHO this behaviour does not make any sense. You need to check the >> authenticity of any additional key upstream might use before adding it >> to the repo, you cannot just use one known-good key and ignore the rest. > > I do not get your point here. What do you mean by "rest". When I know all good releases are signed by A and several other people, I could just add A to debian/upstream/signing-key.asc and be done with it. >> This even makes an attack a bit more likely, since control over just one >> key in the set is enough to build and sign an accepted tarball. > We are rejecting tarball as precautionary measure. So you can make > manual check with your intelligence. I do not see any security problem > here. As far as I get this: - Keyring: A B C - New release signed by: A B E - I need to add E to the keyring to have it validated - from this point on uscan would also accept releases _only_ signed by E (since additional keys in the keyring don't throw an error, but additional signatures do) Bernhard
