-
-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discussion/half baked idea: safely looking up PGP keys automatically #48
Comments
Let me rephrase your points to check if we're on the same page:
I'm just going to iterate on your idea, as I'm not the author of the plug-in. Here's my 2 cents.
Personally, I think a blockchain would be overkill. I can imagine, though, to have a separate maven repository for maintaining a public list. For example, @slawekjaranowski could host one, such that it lives near to original source code. (It is not my intention to put him into this position, just to give an example of where such a repository might live.) The benefits I see:
@slawekjaranowski what do you think? |
Precisely. A keymap is would be a federated list... you obtain it from a trusted party and verify artifacts against the keymap. We could do that now with a git repo with common artifacts and signed commits by a trusted party (which would work and be pretty cool). The downside of this is there is a registration/signup/verification process with the authority; while not terrible, it would be cool if the verification step were automatic.
Yes, there's no reason to re-invent this, especially when Keybase has a toolkit to do this already. The cool part about the Keybase is that an author publishes a "proof" they control an account (sorta like putting a TXT record in DNS to prove you control a domain, or my github gist here: https://gist.github.com/exabrial/a0ffe65b8ee007645dda): A client can securely discover the correct key for an artifact even if they've never seen before by looking up the proof, then checking the proof signature. These two approaches aren't mutually exclusive. We could have a git repo with signed commits that has pinned keys for artifacts, and the commit signer is a trusted party. We could also have a Keybase proof integration that allows people to prove they control a namespace on maven central, and bind a pgp key to that namespace. |
Agree. I'm wondering if we can make this automatic. Or at least mostly automatic. The entries that are added to the key map, can simultaneously be tested by adding a dependency on an artifact like the entry added to the keys map. The tricky thing is verifying that all entries are indeed also added as dependency.
I am sort-of seeing where you're going with this, though one thing eludes me. How do you match an artifact to an author? The only option that I see is to match by maven groupId, so keybase would need to record the maven groupId for an account. However, there are already violations of this, e.g.
Agree. And I also see this as a valid extension to the repository. I, personally, am just a bit hestitant to pull in blockchain for everything if it isn't strictly needed. I'm now trying to convince myself that there isn't a simpler way to accomplish the same thing. |
Which isn't a bad thing necessarily. Having a single key sign for a group is probably the right way to do things. But, I don't see why a key proof couldn't be published in an artifact subdirectory as well |
Let's see if I understand what you're suggesting:
What I don't quite understand is how to work with this: Let's say I have retrieved an artifact. I find a signature on it and need to verify this. [Update: Alternatively, we can look up the maven groupId/artifactId and find the registered account's PGP key ID it correlates to. Then at least, you know if we're expecting the same key ID as we find on the signature. That would be acknowledgement of ownership, so I guess this is what you had in mind.] Tangentially, some questions that came up:
Anyways, I'm trying to outline the mechanism you seem to have in mind, as I don't quite grok it yet. I think. I'm trying to figure out how introducing keybase.io (or any registry) into the mix provides more certainty/security than without. Update: I missed your link to the keybase.io proof integration guide. I'll have a look at it later. |
I think that making decision if key is valid for given artifact, using yet another registry will not work. If it is not global requirement we don't have any guarantee, that every owner of artifacts will publish such information. Process like you try describe should be part of requirements of maven central rules, like: https://maven.apache.org/repository/guide-central-repository-upload.html. But I think that we can start try build map artifacts to pgp key, I can prepare some project with automatically testing given map. |
I appreciate everyone's engagement in this idea :)
You're exactly correct. Unfortunately it's not. That's (one of the reasons) why this plugin exists though, otherwise as long as everything was transferred by TLS from maven central, we wouldn't care.
I'd advise to not let perfection impede progress. Keybase is just a key discovery mechanism that links a pgp key to online identified like github, hacker news, facebook, a bitcoin address etc. The idea here is to allow a link to maven central as well. Using the keybase method to discover pgp keys is not mutually exclusive from using a local keymap, which theoretically could be supplied by a trusted third party. |
So I create project - https://github.com/s4u/pgp-keys-map |
I hope that issue #84 can help to trace which pgp is used for specific artifacts. |
So one of the things that keeps us from going 100% in on PGP checking is the sheer volume of keys we'd have to pin in the keyfile.
Have you seen keybase.io? It's like a fancy PGP keyserver, but it also allows you to bind a PGP key to a Github account and email address, pretty cool. Basically, a user publishes a pgp signed manifest as Gist on github and keybase gives you a way to verify that proof.
They do something cool too: everything that happens in your account it's put into the Bitcoin blockchain. What if we did something similar? We wouldn't have to the crypto work by hand, keybase has an API for new proof integrations: https://keybase.io/docs/proof_integration_guide
An author could sign up to bind a maven artifact to a PGP key. We'd have them publish a "proof" to maven central showing they can publish signed test to a artifact namespace.
Then when the plugin encounters an unknown signature, it could see if a proof exists in keybase. We could then verify the proof and pin the key automatically locally.
The text was updated successfully, but these errors were encountered: