[Webkit-unassigned] [Bug 230982] New: [GTK] Sign releases using a modern GPG key and publish it on webkitgtk.org

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 29 13:48:27 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=230982

            Bug ID: 230982
           Summary: [GTK] Sign releases using a modern GPG key and publish
                    it on webkitgtk.org
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bugs-noreply at webkitgtk.org

Currently WebKitGTK release tarballs are signed using Carlos Garcia's personal GPG key. In the Fedora spec file, I do this:

# Created from http://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xF3D322D0EC4582C3
# $ gpg --import 0xF3D322D0EC4582C3.asc
# $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 > gpgkey-D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3.gpg
Source2:        gpg-key-D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3.gpg

This would catch a supply chain attack where (a) distro has previously imported Carlos's key, then (b) attacker compromises webkitgtk.org and replaces tarballs, but (c) attacker does not have access to Carlos's GPG private key.

Sadly, hkps.pool.sks-keyservers.net doesn't seem to exist anymore, and sks-keyservers.net is using an unacceptable TLS certificate, so my comment on how to create the .gpg keyring is obsolete. That could be fixed by publishing a keyring on webkitgtk.org, so I could link to that rather than these instructions for how to manually create the keyring. But the keyring should really use a new key, rather than Carlos's existing key, because the existing key is a DSA 1024 key that is weak compared to modern standards.

There are probably other best practices to follow (project keys instead of individual developer keys?), but I don't pretend to understand them. GPG is too hard for me....

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210929/b4d6c0be/attachment.htm>

More information about the webkit-unassigned mailing list