[WineHQ] service.cgi fixes
paulm at astro.gla.ac.uk
Fri Jun 11 10:45:29 CDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Ultimately, all PKI suffers from the weakness that, unless you
distribute the public keys out-of-band (e.g. via CDROM and recorded
delivery), then you can't trust signatures.
Practically, with web browers (for example), what happens is certain
public keys (of known CAs) are distributed with the software. Its
fairly unlikely (but not impossible) that these are altered whilst
someone's downloading their browser. Since that happens fairly rarely
(less frequently than verifying a certificate), its fairly safe.
Much the same applies with the gpg config file which says to trust the
key used for signing the binaries (id 651FD487). The config file
*could* be modified in-flight (a la ettacap), modified on the website,
or by a malicious packager (cue evil grin). But, if you trust the
people involved and the integrity of the website, then its a pretty
Moreover, the config file only needs to be downloaded when the winrash
code is updated. This doesn't happen too often (compared to verifying
the signature of winetest.exe) so for each set of binaries and the
corresponding signature, the client should be able to confirm (with a
good level of confidence) that the binary was generated on quisquiliae.
There's some additional level of confidence that comes from my having
signed the code-signing key with my personal key. Other people have
signed my personal key, so there should be a web-of-trust between the
code-signing key and others out there. The truly paranoid could leaver
that to garner additional trust :)
So, I believe downloading the gpg config file with winrash is equivalent
to downloading CA public keys with a web-browser. Technically is bad,
but practically is OK.
Alternatively, if you don't want to distribute the key, just tell gpg to
download it from one of the key-servers out there, but that's
(more-or-less) equivalent to distributing the key.
(phew, didn't mean for the email to get that big!)
On Friday 11 June 2004 15:28, Chris Morgan wrote:
> We don't have a good way of distributing and managing the gpg keys,
> there is no script control over that part of winrash. If there was
> an automated and secure way of keeping the trusted signatures up to
> date I wouldn't mind turning it back on. It just has to be something
> that can be maintained without manual intervention with gpg. I'm
> also not really sure how the whole gpg signature thing works. Right
> now we bundle a config file for gpg that trusts your signature. Can
> we have that managed by the service so it happens automatically or
> does that implicitly violate the trust as we are getting the
> signature from the service initially?
> On Friday 11 June 2004 9:49 am, Paul Millar wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > Hi Dimi,
> > Why remove the verification of the code's gpg signature? It seems
> > to break a basic security maxim: don't trust the network.
> > On Thursday 10 June 2004 22:48, Dimitrie O. Paun wrote:
> > > ChangeLog
> > > Do not include irrelevant stuff in the _history.
> > > Do not instruct the client to verify the .sig,
> > > it's a b0rken idea anyway.
> > - --
> > Paul Millar
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.4 (GNU/Linux)
> > iD8DBQFAybhq/9JwS78PA+kRAuv/AJ9Ulntb1MLGn+2gp8r/qpy6VqJDVACePwVB
> > VXxAHr9gaBuMhIJ7P81ahMA=
> > =0tkh
> > -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the wine-devel