Problems with trust path when packaging #478
Comments
|
Hi! Thanks for your interest in argcomplete and for your efforts to help package and distribute it. While I agree with the overall design of the web of trust and with the goals of OpenPGP-based software distribution infrastructure, the only implementation that is available to me in my development environments is GnuPG, which has major usability issues that make me disinclined to continue its use. I welcome suggestions of other OpenPGP implementations that have better UX standards compared to GnuPG. I plan to continue to manage releases for this project for the foreseeable future. If that ever changes, you can expect it to be reflected by the state of this project on a trusted platform like GitHub: the repository will either be transferred to a new organization or a new maintainer, with committer access updated correspondingly. |
A common theme 🥲
Do you use a smartcard to work with your OpenPGP private key? If so, there may be something to beta test soon 😉
Just to clarify: Currently, this means you will not be signing tags going forward? |
|
I don't have a smartcard, but I have a bunch of yubikeys. Would those work?
Not with gnupg. It has interrupted too many of my releases with ridiculous bugs and otherwise stolen too much of my time. It looks like git and github now support signing with SSH keys. If I sign my tags with SSH keys and post my SSH public key in my various online profiles, would that work for you? |
Yes. (I should have specified what I'm referring to as smartcard is an OpenPGP card - those come in all forms, not just the classic oldschool "smartcard").
On Arch Linux we have only now started to look into how to do OpenSSH based signature verification sensibly. |
I heard it's really tasty! 🥯
Just for the record, this is how the openssh project does that. They do have an "allowed signers" file with all SSH keys: https://github.com/openssh/openssh-portable/blob/master/.git_allowed_signers and the "trust path" is provided by an OpenPGP signature over that file: https://github.com/openssh/openssh-portable/blob/master/.git_allowed_signers.asc HTH 👋 |
|
@kislyuk the projects that may be of interest to you are https://codeberg.org/openpgp-card/ssh-agent/, https://codeberg.org/openpgp-card/openpgp-card-tools/, https://codeberg.org/openpgp-card/oct-git and https://codeberg.org/heiko/rsop With those you can basically maintain an OpenPGP card based workflow for signing and decryption without having to use GnuPG at all. |
Hi! 👋
I'm currently looking into upgrading this package on Arch Linux.
Due to the debacle with the removal of signed sdists on PyPI, we have decided to switch to upstream provided, auto-generated source tarballs or (signed) git tags/commit (https://rfc.archlinux.page/0020-sources-for-python-packaging/).
I saw that in 75548f2 you have decided to remove the OpenPGP signing for the PyPI sources (as there really is no other option...). Unfortunately, in that commit you have also removed the signing of tags.
This leaves us with a missing trust path going forward, as we are checking specifically against your OpenPGP fingerprint (
29BCBADB4ECAAAC2382699388AFAFCD242818A52) when verifying signatures:https://gitlab.archlinux.org/archlinux/packaging/packages/python-argcomplete/-/blob/20f889a098774ee099092e154375464203d7244d/PKGBUILD#L18
The last signed tag appears to be the one for 3.1.1.
Would it be possible going forward to rely on tags signed using
29BCBADB4ECAAAC2382699388AFAFCD242818A52?You appear to be the only person doing releases for your project. In case this ever changes, would you be able to ensure a trust path to any new person being allowed to create releases (by certifying their User ID - aka. "signing their key")?
Many thanks! 🙏
cc @anthraxx
The text was updated successfully, but these errors were encountered: