(fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions

[Martin Pool]

On 22 Nov 2002, Steve Langasek <vorlon at netexpress.net> wrote:
> On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote:
> > On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote:
> > > Yeah, sure, but:
> 
> > >  What does this all mean?  Why should I care?
> 
> > >  Where do I get GPG?
> 
> > >  Where do I get the samba codesigning key?  How do I import it?   How
> > >  do I know I got the right one?
> 
> > >  What do I do if it doesn't verify?
> 
> > I always wondered if someone uploaded a tarball with a trojan, what's 
> > preventing them from updating the .asc file as well?

The signature file can only be produced by somebody who has the
private key, which (I hope) only resides on well-secured machines
separate from the distribution machine.  For example it might be on a
PC at Jerry's house.

> It's a cryptographic signature that can only be produced using a specific
> key.  Assuming that the key belongs to the party whose name is on it, and
> assuming that the key is well-protected from theft, and assuming that the
> algorithms used by PGP haven't been broken, you can be assured that the
> signature was made by the person it claims to have come from.

So the failure modes are:

 1 - Somebody breaks into Jerry or some other signer's PC, and from
     there to samba.org.

     Equivalently, Jerry's laptop is stolen by somebody smart enough
     to understand what they found.  (Don't take keys to DEFCON!)

 2 - Somebody uploads an invalid .asc file, but nobody actually checks
     it, or at least nobody raises the alarm for some time.

 3 - Somebody changed the .tgz, .asc, and also the key stored on the
     same keyserver.   The key is signed with what look like plausible
     signatures.   Again, this will eventually be detected, but
     perhaps not until some trouble is caused. 

 4 - GPG is broken.  (By far the least likely.)

-- 
Martin