May 28, 2009

Opportunistic key signing

Filed under: Scripting — martin @ 6:36 am

Here’s a security practice that many of you folks are not going to like.

Let’s say I’m dealing with some piece of software that can be downloaded as source code, along with a PGP signature, such as, for example, the EXIM MTA:

$ ls exim*
exim-4.69.tar.gz exim-4.69.tar.gz.asc
$ gpg exim-4.69.tar.gz.asc
gpg: Signature made Wed Dec 19 13:37:54 2007 CET using DSA key ID DDC03262
gpg: Can't check signature: public key not found
$ gpg --recv-key DDC03262
gpg: requesting key DDC03262 from hkp server wwwkeys.de.pgp.net
gpg: key DDC03262: public key "Nigel Metheringham (Exim key) " imported
$ gpg exim-4.69.tar.gz.asc
gpg: Signature made Wed Dec 19 13:37:54 2007 CET using DSA key ID DDC03262
gpg: Good signature from "Nigel Metheringham (Exim key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FAA1 C7F9 CD07 7DC4 304B C0C8 85AB 833F DDC0 3262

What now? I don’t have a trust path to this key, so what can I do about the software? Of course, I can (and will) do what everyone does in this situation: Have a look at the current list of people who have signed the signing key and decide based on some kind of makeshift criteria, whether I want to use the software anyway.

But I can also do something else. Chances are that I will come back to this situation. In a few months, I might want to check the PGP signature on a new release. For that day, I can add an unverified signature to the key.

$ gpg --edit-key DDC03262
Command> sign
How carefully have you verified the key you are about to sign actually belongs
to the person named above? If you don't know what to answer, enter "0".

(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.

Your selection? (enter `?' for more information):
$ gpg --send-key DDC03262

(Don’t bother looking; I haven’t actually signed and uploaded the EXIM key.)

I tend to prefer the sig1 here due to the clear statement that “no check was made at all”, but sig0 works just as well. The important part is that I sign the signing key, but without making any claim about its validity. When I get back to that same key at a later date, I can however tell for sure that I have deemed this key to be usable in the past.

I believe that this is a legitimate use of sig0 and sig1 signatures, although I have to acknowledge that I have met people who disagree with me about this.

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

%d bloggers like this: