[Webkit-unassigned] [Bug 230982] New: [GTK] Sign releases using a modern GPG key and publish it on webkitgtk.org
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 29 13:48:27 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=230982
Bug ID: 230982
Summary: [GTK] Sign releases using a modern GPG key and publish
it on webkitgtk.org
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebKitGTK
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at gnome.org
CC: bugs-noreply at webkitgtk.org
Currently WebKitGTK release tarballs are signed using Carlos Garcia's personal GPG key. In the Fedora spec file, I do this:
# Created from http://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xF3D322D0EC4582C3
# $ gpg --import 0xF3D322D0EC4582C3.asc
# $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 > gpgkey-D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3.gpg
Source2: gpg-key-D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3.gpg
This would catch a supply chain attack where (a) distro has previously imported Carlos's key, then (b) attacker compromises webkitgtk.org and replaces tarballs, but (c) attacker does not have access to Carlos's GPG private key.
Sadly, hkps.pool.sks-keyservers.net doesn't seem to exist anymore, and sks-keyservers.net is using an unacceptable TLS certificate, so my comment on how to create the .gpg keyring is obsolete. That could be fixed by publishing a keyring on webkitgtk.org, so I could link to that rather than these instructions for how to manually create the keyring. But the keyring should really use a new key, rather than Carlos's existing key, because the existing key is a DSA 1024 key that is weak compared to modern standards.
There are probably other best practices to follow (project keys instead of individual developer keys?), but I don't pretend to understand them. GPG is too hard for me....
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210929/b4d6c0be/attachment.htm>
More information about the webkit-unassigned
mailing list