tech-security: Re: signed binary pkgs

Subject: Re: signed binary pkgs
To: None <tech-security@NetBSD.org, tech-pkg@NetBSD.org>
From: Alan Barrett <apb@cequrux.com>
List: tech-security
Date: 07/26/2005 12:01:50
On Tue, 26 Jul 2005, Curt Sampson wrote:
> >Yes, I'd like to see a signature on the entire ${package}.tgz file.
> 
> What are the advantages of this? What are the disadvantages?

Advantage: easy to generate; easy to check; can have signatures from third
	parties.

Disadvantage: users might end up with the file but not the signature.

> >I'd also like to see an option to sign a bundle of packages, to reduce
> >the disk space overhead.
> 
> It doesn't seem to me that there's going to be so much overhead anyway,
> and we'd achieve minimal overhead or very close to it in all cases if we
> put the signature in the archive itself.

If the signature includes a copy of the key, and perhaps also
certificates and other metadata associated with the key, then we could
be talking several kilobytes per signature.  With around 400 syspkgs for
the base system (not including X11), that's an overhead of a megabyte or
three.

Signatures on bundles of packages could be especially useful for third
parties.

> And signing of bundles seems as if it would be even more of a hassle
> for downloaders yet.

I want it as an option, not as the only way to sign packages.

> I think it's very important to make it as automatic as possible that
> signatures come along with packages, no matter how downloaded, so that
> they are used as much as possible.

OK, I now agree with that goal.  I'd like to see support for the
following use cases:

  1. Package builder embeds a signature in the package.  The signature
     means something like "This package really was built in the
     time/place/manner that the +BUILD_INFO file says."

  2. A third party adds an additional embedded signature (or replaces an
     existing embedded signature).  The signature means "This package
     was approved by the signer (according to criteria specified out of
     band)."

     For example, NetBSD release engineering could replace the signature
     from an automated build process with a signature that means "this
     package is part of the official NetBSD-x.y.z release", or a
     corporate QA/security/sysadmin department could add a signature
     that means "this package is approved for use on company servers".
     
  3. A third party creates a detached signature on a single package.

  4. A third party creates a detached signature on a bundle of
     packages.

--apb (Alan Barrett)