[Catalog-sig] getting the public key when --sign is used
Donald Stufft
donald.stufft at gmail.com
Mon Nov 19 23:10:09 CET 2012
If you're going to build out the infrastructure for this it needs the ability for someone to
immediately (or within a very short timeframe) revoke their key. There is little value
in revoking a key (which could indicate that the original key was compromised) if
the unrevoked key is going to remain valid for a significant amount of time.
On Monday, November 19, 2012 at 4:43 PM, Daniel Holth wrote:
> On Mon, Nov 19, 2012 at 4:34 PM, Tarek Ziadé <tarek at ziade.org (mailto:tarek at ziade.org)> wrote:
> > On 11/19/12 7:55 PM, M.-A. Lemburg wrote:
> > > On 19.11.2012 19:37, Tarek Ziadé wrote:
> > > > Hey
> > > >
> > > >
> > > > I am currently writing a small script to verify that the gpg signature is correct when the --sign
> > > > option
> > > > is used with the Distutils upload command, and I was wondering why we don't publish the public key
> > > > alongside the .asc file.
> > > >
> > > > Right now, unless I missed something, to verify a signature the user has to manually get the public
> > > > key before she
> > > > can control the tarball.
> > > >
> > > > Wouldn't it make sense to modify the upload command and add a .pubkey file alongside the archive file
> > > > and the .asc file on PyPI ? (since we don't have a notion of team/users etc.)
> > > Doesn't that cause problems when revoking a public key ?
> > >
> > That problem still exists as things are today at PyPI -if you sign a package you get an .asc file uploaded and
> > you need to tell people where is your public key.
> >
> > If you change your key, the asc file is not valid anymore.
> >
> > I am not sure what would be the best way to do this: maybe we should allow people to update the asc files ?
>
> You should consider reading up on the design of TUF: The Update Framework (https://www.updateframework.com/). They have designed a security system for Python packages.
>
> One solution to the key revocation problem is to have two signatures, a timestamp from PyPI along with a signature from the publisher. The package is only valid if it has a valid publisher signature along with a timestamp that is within the validity period of the publisher's signing key.
>
> In other words, if I publish a package in October but revoke my public key in November, the package is still valid because PyPI asserts it was signed before the key was revoked.
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121119/c39e0451/attachment.html>
More information about the Catalog-SIG
mailing list