On Fri, Mar 28, 2014 at 2:06 PM, Julian Harnath <julian.harnath@xxxxxxxxxxxxxx> wrote: > Urias McCullough <umccullough@xxxxxxxxx> schrieb: >> I don't understand how that's significantly different from simply >> maintaining hashes of all the binaries in our source control and >> verifying them during download. There's really no need to sign them >> assuming we trust devs who have commit access already. > > The advantage of signing over a simple hash is that it depends on the > private key, which is well, private. An attacker who could gain access > to our package repo server could simply exchange the binaries and change > the hashes. It's also easy to do a man-in-the-middle attack, changing > these things on the fly. Yes, I understand - and I support the idea behind signing packages for pure binary downloads - BUT, for building Haiku, we have a separate location to store the hashes, which has controlled and easily-monitored access - the Git repo. I just think that we can solve Jonathan's concerns right away by adding a list of hashes for each of our downloaded packages used at build time in our Git repo and verifying them on download... whereas adding a full signing mechanism will take longer. > Both attack scenarios don't work with signing: without access to the > private key (which needs to be guarded closely), the attacker cannot > generate a valid signature. All he could do is exchange the package > containing the public CA certs, so new installations could be > compromised... but everyone doing an update on an older system would > immediately notice that things are wrong. Since we currently require SSH access to commit to Git, I don't see how these signing keys will be any more likely to be "secured" at this point. Until we limit the ability for creation of "official" binary packages to a small subset of developers, I don't see how it will greatly improve anything. In any case, I think we can immediately solve the concern of "someone messing with the internet connection", or even "someone tampering with the server" quite easily without introducing signed packages. - Urias