[WineHQ] service.cgi fixes

Paul Millar paulm at astro.gla.ac.uk
Fri Jun 11 10:45:29 CDT 2004

Hash: SHA1

Hi Chris,

Ultimately, all PKI suffers from the weakness that, unless you 
distribute the public keys out-of-band (e.g. via CDROM and recorded 
delivery), then you can't trust signatures.

Practically, with web browers (for example), what happens is certain 
public keys (of known CAs) are distributed with the software.  Its 
fairly unlikely (but not impossible) that these are altered whilst 
someone's downloading their browser.  Since that happens fairly rarely 
(less frequently than verifying a certificate), its fairly safe.

Much the same applies with the gpg config file which says to trust the 
key used for signing the binaries (id 651FD487).  The config file 
*could* be modified in-flight (a la ettacap), modified on the website, 
or by a malicious packager (cue evil grin). But, if you trust the 
people involved and the integrity of the website, then its a pretty 
safe bet.

Moreover, the config file only needs to be downloaded when the winrash 
code is updated.  This doesn't happen too often (compared to verifying 
the signature of winetest.exe) so for each set of binaries and the 
corresponding signature, the client should be able to confirm (with a 
good level of confidence) that the binary was generated on quisquiliae.

There's some additional level of confidence that comes from my having 
signed the code-signing key with my personal key.  Other people have 
signed my personal key, so there should be a web-of-trust between the 
code-signing key and others out there.  The truly paranoid could leaver 
that to garner additional trust :)

So, I believe downloading the gpg config file with winrash is equivalent 
to downloading CA public keys with a web-browser. Technically is bad, 
but practically is OK.

Alternatively, if you don't want to distribute the key, just tell gpg to 
download it from one of the key-servers out there, but that's 
(more-or-less) equivalent to distributing the key.

(phew, didn't mean for the email to get that big!)



On Friday 11 June 2004 15:28, Chris Morgan wrote:
> We don't have a good way of distributing and managing the gpg keys,
> there is no script control over that part of winrash.  If there was
> an automated and secure way of keeping the trusted signatures up to
> date I wouldn't mind turning it back on.  It just has to be something
> that can be maintained without manual intervention with gpg.  I'm
> also not really sure how the whole gpg signature thing works.  Right
> now we bundle a config file for gpg that trusts your signature.  Can
> we have that managed by the service so it happens automatically or
> does that implicitly violate the trust as we are getting the
> signature from the service initially?
> Chris
> On Friday 11 June 2004 9:49 am, Paul Millar wrote:
> > Hash: SHA1
> >
> > Hi Dimi,
> >
> > Why remove the verification of the code's gpg signature?  It seems
> > to break a basic security maxim: don't trust the network.
> >
> > On Thursday 10 June 2004 22:48, Dimitrie O. Paun wrote:
> > > ChangeLog
> > >     Do not include irrelevant stuff in the _history.
> > >     Do not instruct the client to verify the .sig,
> > >     it's a b0rken idea anyway.
> >
> > - --
> > Paul Millar
> > Version: GnuPG v1.2.4 (GNU/Linux)
> >
> > iD8DBQFAybhq/9JwS78PA+kRAuv/AJ9Ulntb1MLGn+2gp8r/qpy6VqJDVACePwVB
> > VXxAHr9gaBuMhIJ7P81ahMA=
> > =0tkh
> > -----END PGP SIGNATURE-----

- ----
Paul Millar
Version: GnuPG v1.2.4 (GNU/Linux)


More information about the wine-devel mailing list