[openstack-dev] Please do use PGP and PGP signed tags!

Thomas Goirand zigo at debian.org
Sat Feb 9 17:41:54 UTC 2013


Hi everyone!

As you may know, I am the person doing the packaging of Openstack in
Debian. So uploading stuff in Debian is my responsibility. I've been
trying to shout to everyone that they should be using PGP signed tags on
Github, but the message doesn't seem to be received well enough, even
though core repositories are signed (I could check that ttx signature is
in all core projects, so we're safe here). But that's not truth for many
smaller python modules.

So I'll try once more, to the list, with the stronger point below. :)

I live in mainland China. Recently, they've been playing with all sorts
of attacks on Github. One of them, was a man in the middle attack. These
things are *SERIOUS* concerns, it's not just theoretical, it did happen
in the past, and may happen again. If you don't just trust me by my
words, read this:
https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle

FYI, currently, China is blocking Github DNS only (so editing /etc/hosts
is enough to "fix" the problem). Though I could see some weird behaviors
making me think that it's possible they are also doing man in the middle
with git:// access (which I use... since git over https is so dumb...).
It just doesn't feel safe... who knows what they really are doing.

Anyway, this isn't only about China, it's a good practice, and everyone
should be concerned, even for any Python module.

We have the necessary tools to make sure we're safe. We just need to use
these tools.

For those who aren't aware of how PGP works, here's a small howto, so
that we can sign each other keys.

=== howto start ===
If you don't have a PGP key, it's time to generate one:

# Make sure you're using sane defaults:
mkdir ~/.gnupg
echo "keyserver hkp://subkeys.pgp.net
personal-digest-preferences SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
CAST5 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA256" >~/.gnupg/gpg.conf

# Generate a key
gpg --gen-key

# Once you have the key, please print the fingerprint
# on a piece of paper:
gpg --fingerprint

# Send the key to keyservers
gpg --send-keys 0x<ID-OF-YOUR-KEY>

Once you have this, please prepare a paper with your PGP key
fingerprint, which must also contain your name and email address, then
in Portland (if I can make it, which I believe will happen), give me
that piece of paper, and show me a photo ID (passport, driving license,
etc.) so that I can check your identity. I will do the same.

For signing keys, it's explained here:
http://www.debian.org/events/keysigning

You can also use caff, which automates the procedure of receiving,
signing and sending keys.
=== howto end ===

One of the goal of signing each other keys is to avoid any possible man
in the middle attacks when sending or receiving keys to the key server.
There's no CA for PGP, so you do need to fully check the fingerprint of
a key before signing it. It's more important to do this than checking
for the validity of government issued photo IDs.

Cheers,

Thomas Goirand (zigo)

P.S: I hope this wasn't too annoying to read... :)



More information about the OpenStack-dev mailing list