* GPG public keys @ 2015-12-08 19:10 Jamie Evans 2015-12-09 1:49 ` Junio C Hamano 0 siblings, 1 reply; 7+ messages in thread From: Jamie Evans @ 2015-12-08 19:10 UTC (permalink / raw) To: git Hello, Can you please point me to the public GPG keys used for source code signing? Thanks, Jamie ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GPG public keys 2015-12-08 19:10 GPG public keys Jamie Evans @ 2015-12-09 1:49 ` Junio C Hamano 2015-12-09 17:03 ` Jamie Evans 0 siblings, 1 reply; 7+ messages in thread From: Junio C Hamano @ 2015-12-09 1:49 UTC (permalink / raw) To: Jamie Evans; +Cc: git Jamie Evans <jamie@pixelrebel.com> writes: > Can you please point me to the public GPG keys used for source code signing? I suspect that you are asking about our project, but instead of throwing you a fish, I'll show you how to catch one yourself. In a copy of linux kernel repository I have lying around from a random past, I did this: $ git log --show-signature and saw something like this: commit c6fa8e6de3dc420cba092bf155b2ed25bcd537f7 merged tag 'arm64-fixes' gpg: Signature made Wed 07 Oct 2015 03:10:34 AM PDT using RSA key ID 84C16334 gpg: Can't check signature: public key not found Merge: e82fa92 62c6c61 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Wed Oct 7 18:17:46 2015 +0100 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/li... I do not have the public key with key ID 84C16334, but I can ask public keyservers. Put 0x84C16334 in "Search String" in pgp.mit.edu and click "Do the search!"--it would result in the key that was used to sign the merge request that resulted in this merge. I also can do this: $ git tag -v v3.0 and I would see something like: object 02f8c6aee8df3cdc935e9bdd4f2d020306035dbe type commit tag v3.0 tagger Linus Torvalds <torvalds@linux-foundation.org> 1311301049 -0700 Linux 3.0 w00t! gpg: Signature made Thu 21 Jul 2011 07:17:44 PM PDT using DSA key ID 76E21CBB gpg: Good signature from "Linus Torvalds (tag signing key) <torvalds@osdl.org>" ... to find that Linus's tag signing key has ID 0x76E21CBB (I do have his key in my keyring, so this does not say "Can't check"). Perhaps you can do the same to whatever project you are interested in. For example, here is a starting point to do the same for our recent v2.6.4 tag: $ git tag -v v2.6.4 gpg: Signature made Tue 08 Dec 2015 02:12:50 PM PST using RSA key ID 96AFE6CB gpg: Can't check signature: public key not found error: could not verify the tag 'v2.6.4' ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GPG public keys 2015-12-09 1:49 ` Junio C Hamano @ 2015-12-09 17:03 ` Jamie Evans 2015-12-09 22:04 ` Jeff King 0 siblings, 1 reply; 7+ messages in thread From: Jamie Evans @ 2015-12-09 17:03 UTC (permalink / raw) To: Junio C Hamano; +Cc: git Thanks, Junio, for the tutorial! I had tried to lookup the key, but failed to put the ‘0x’ at the head. I was actually verifying the signature on a tarball release. Just curious, how do I know the key in the database really belongs to you? It’s has your name and email, but what’s to keep an imposter from creating a key with your name on it and posting it to the database? I guess all the signatories on your key are others vouching for your key? Thanks again for the reply. Oh, and thanks for git! Cheers, Jamie > On Dec 8, 2015, at 5:49 PM, Junio C Hamano <gitster@pobox.com> wrote: > > Jamie Evans <jamie@pixelrebel.com> writes: > >> Can you please point me to the public GPG keys used for source code signing? > > I suspect that you are asking about our project, but instead of > throwing you a fish, I'll show you how to catch one yourself. > > In a copy of linux kernel repository I have lying around from a > random past, I did this: > > $ git log --show-signature > > and saw something like this: > > commit c6fa8e6de3dc420cba092bf155b2ed25bcd537f7 > merged tag 'arm64-fixes' > gpg: Signature made Wed 07 Oct 2015 03:10:34 AM PDT using RSA key ID 84C16334 > gpg: Can't check signature: public key not found > Merge: e82fa92 62c6c61 > Author: Linus Torvalds <torvalds@linux-foundation.org> > Date: Wed Oct 7 18:17:46 2015 +0100 > > Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/li... > > I do not have the public key with key ID 84C16334, but I can ask > public keyservers. Put 0x84C16334 in "Search String" in pgp.mit.edu > and click "Do the search!"--it would result in the key that was used > to sign the merge request that resulted in this merge. > > I also can do this: > > $ git tag -v v3.0 > > and I would see something like: > > object 02f8c6aee8df3cdc935e9bdd4f2d020306035dbe > type commit > tag v3.0 > tagger Linus Torvalds <torvalds@linux-foundation.org> 1311301049 -0700 > > Linux 3.0 > > w00t! > gpg: Signature made Thu 21 Jul 2011 07:17:44 PM PDT using DSA key ID 76E21CBB > gpg: Good signature from "Linus Torvalds (tag signing key) <torvalds@osdl.org>" > ... > > to find that Linus's tag signing key has ID 0x76E21CBB (I do have > his key in my keyring, so this does not say "Can't check"). > > Perhaps you can do the same to whatever project you are interested > in. For example, here is a starting point to do the same for our > recent v2.6.4 tag: > > $ git tag -v v2.6.4 > gpg: Signature made Tue 08 Dec 2015 02:12:50 PM PST using RSA key ID 96AFE6CB > gpg: Can't check signature: public key not found > error: could not verify the tag 'v2.6.4' > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GPG public keys 2015-12-09 17:03 ` Jamie Evans @ 2015-12-09 22:04 ` Jeff King 2015-12-09 22:24 ` Stefan Beller 0 siblings, 1 reply; 7+ messages in thread From: Jeff King @ 2015-12-09 22:04 UTC (permalink / raw) To: Jamie Evans; +Cc: Junio C Hamano, git On Wed, Dec 09, 2015 at 09:03:47AM -0800, Jamie Evans wrote: > Thanks, Junio, for the tutorial! I had tried to lookup the key, but > failed to put the ‘0x’ at the head. An easier way to get keys is just: $ gpg --recv-keys 96AFE6CB gpg: requesting key 96AFE6CB from hkp server keys.gnupg.net gpg: key 713660A7: public key "Junio C Hamano <gitster@pobox.com>" imported [...etc...] You may need to drop a keyserver into your config, like: echo "keyserver keys.gnupg.net" >>~/.gnupg/gpg.conf It doesn't really matter which one you use. Keyservers aren't authoritative. They are just a convenience for grabbing the key data, and most of the major ones share keys with each other. The real security comes from the signatures which you get along with the keys. > I was actually verifying the signature on a tarball release. Just > curious, how do I know the key in the database really belongs to you? > It’s has your name and email, but what’s to keep an imposter from > creating a key with your name on it and posting it to the database? I > guess all the signatories on your key are others vouching for your > key? Right. Now that I've got Junio's key from the command above, I can do: gpg --list-sigs 96AFE6CB Of course you won't have those keys either. You can recursively recv-key them, but that doesn't help if you don't trust them. The same imposter can create a network of plausible-looking keys and upload them. In an ideal world you sign somebody else who signs somebody else who signs Junio's key, and therefore you (probably trust it)[1]. But of course bootstrapping that process is hard. In practice, the simplest thing is probably to notice that all of the git releases since v1.7.1.4 are signed by 96AFE6CB. If there was an imposter, presumably somebody would have noticed by now and complained. Of course you can't just fetch the v1.7.1.4 tag _now_, because the same person impersonating the most recent tag could also be impersonating (and back-dating) the older tags. But you could fetch it now, store it somewhere trusted (e.g., on your laptop), and wait two weeks. If you find no public outcry over hacked git, then it is probably OK to assume that is the real key. -Peff [1] There are some cool tools to visualize the trust chains. Unfortunately this one does not seem to have Junio's latest key, but here is an example going from my key to the key Linus uses to sign the kernel: http://pgp.cs.uu.nl/mk_path.cgi?FROM=90F6F6B8&TO=00411886&PATHS=trust+paths Of course somebody can impersonate that tool, too. :) But you can fetch all of the individual keys in a path and verify cryptographically that the path exists. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GPG public keys 2015-12-09 22:04 ` Jeff King @ 2015-12-09 22:24 ` Stefan Beller 2015-12-09 22:43 ` Jeff King 0 siblings, 1 reply; 7+ messages in thread From: Stefan Beller @ 2015-12-09 22:24 UTC (permalink / raw) To: Jeff King; +Cc: Jamie Evans, Junio C Hamano, git On Wed, Dec 9, 2015 at 2:04 PM, Jeff King <peff@peff.net> wrote: > > Of course you can't just fetch the v1.7.1.4 tag _now_, because the same > person impersonating the most recent tag could also be impersonating > (and back-dating) the older tags. But you could fetch it now, store it > somewhere trusted (e.g., on your laptop), and wait two weeks. If you > find no public outcry over hacked git, then it is probably OK to assume > that is the real key. > With all of us pointing out 96AFE6CB being the right hash, you may or may not trust the list enough to also trust the key now. But the mailing list server may be hacked and run a s/good-hash/bad-hash/g on each email such that we cannot tell you via email what the right hash of Junios key is. That's why the web of trust is built using side channels, i.e. not just the internet. Usually people meet and check face-to-face if the other person is the person they claim to be and if their key checks out. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GPG public keys 2015-12-09 22:24 ` Stefan Beller @ 2015-12-09 22:43 ` Jeff King 2015-12-10 1:16 ` brian m. carlson 0 siblings, 1 reply; 7+ messages in thread From: Jeff King @ 2015-12-09 22:43 UTC (permalink / raw) To: Stefan Beller; +Cc: Jamie Evans, Junio C Hamano, git On Wed, Dec 09, 2015 at 02:24:17PM -0800, Stefan Beller wrote: > On Wed, Dec 9, 2015 at 2:04 PM, Jeff King <peff@peff.net> wrote: > > > > Of course you can't just fetch the v1.7.1.4 tag _now_, because the same > > person impersonating the most recent tag could also be impersonating > > (and back-dating) the older tags. But you could fetch it now, store it > > somewhere trusted (e.g., on your laptop), and wait two weeks. If you > > find no public outcry over hacked git, then it is probably OK to assume > > that is the real key. > > > > With all of us pointing out 96AFE6CB being the right hash, you may or may not > trust the list enough to also trust the key now. Who's to assume that I actually checked that 96AFE6CB is right? ;) Actually, I don't typically verify Junio's tag signatures. I fetch and run "make" daily, far more often than he signs, so I would have been p0wned long ago. -Peff ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GPG public keys 2015-12-09 22:43 ` Jeff King @ 2015-12-10 1:16 ` brian m. carlson 0 siblings, 0 replies; 7+ messages in thread From: brian m. carlson @ 2015-12-10 1:16 UTC (permalink / raw) To: Jeff King; +Cc: Stefan Beller, Jamie Evans, Junio C Hamano, git [-- Attachment #1: Type: text/plain, Size: 1748 bytes --] On Wed, Dec 09, 2015 at 05:43:36PM -0500, Jeff King wrote: > On Wed, Dec 09, 2015 at 02:24:17PM -0800, Stefan Beller wrote: > > > On Wed, Dec 9, 2015 at 2:04 PM, Jeff King <peff@peff.net> wrote: > > > > > > Of course you can't just fetch the v1.7.1.4 tag _now_, because the same > > > person impersonating the most recent tag could also be impersonating > > > (and back-dating) the older tags. But you could fetch it now, store it > > > somewhere trusted (e.g., on your laptop), and wait two weeks. If you > > > find no public outcry over hacked git, then it is probably OK to assume > > > that is the real key. > > > > > > > With all of us pointing out 96AFE6CB being the right hash, you may or may not > > trust the list enough to also trust the key now. > > Who's to assume that I actually checked that 96AFE6CB is right? ;) > > Actually, I don't typically verify Junio's tag signatures. I fetch and > run "make" daily, far more often than he signs, so I would have been > p0wned long ago. It might also be worthwhile to check that the signatures on kernel.org match the key in the repo. kernel.org autosigns the tarballs as well, so presumably that key matches what kernel.org has on file for Junio. It may also be less important that the key really belongs to a human named Junio C Hamano than that the same key consistently signs tags and tarballs. I can't personally vouch for the human behind the signatures, but when building git from tarballs, I do check that the same key signed them. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 835 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-12-10 1:16 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-12-08 19:10 GPG public keys Jamie Evans 2015-12-09 1:49 ` Junio C Hamano 2015-12-09 17:03 ` Jamie Evans 2015-12-09 22:04 ` Jeff King 2015-12-09 22:24 ` Stefan Beller 2015-12-09 22:43 ` Jeff King 2015-12-10 1:16 ` brian m. carlson
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.