Re: [task #4633] GPG-Signed Commits

[Jim Hyslop]

Bernd Jendrissek wrote:
> If I may jump into the middle here... if, AFAICT, the purpose is to bind
> a signature to a specific commit and no other, and also to the complete
> file contents (figuring out $strings$ later), would it not be sufficient
> to generate, say,
>
>  ----- BEGIN PGP SIGNED MESSAGE -----
>  Comment: blah blah comments are untrusted
>
>  Repository revision: 1.5     /home/cvs/cvsroot/ifsf-sst/foo.c,v
>  #include <stdio.h>
>
>  int main()
>  {
>    printf("hello, world!\n");
>    return 0;
>  }
>  ----- BEGIN PGP SIGNATURE -----
>  gobblegobblegobble=
>  ----- END PGP SIGNATURE -----
>  (or its binary equivalent)

This does complicate things somewhat on the client side. Instead of 
simply signing the file and creating a detached signature, the client 
has to sign [header info]+[file].

> No, wait, if an attacker has root access to the CVS server, revision
> numbers become untrusted.  Really all you're trying to achieve is to
> identify the real culprit, so that Eve can't frame Alice.

I don't think it's possible to identify any culprits with 100% 
certainty, except perhaps with a system that is designed from the ground 
up with security in mind (CVS is at the opposite end of the security 
spectrum - it was designed on the assumption that you can trust users 
not to attack the system).

At this point, I don't think we're entirely clear on what we are trying 
to achieve. It may be helpful to list the specific attacks we are trying 
to protect against. Some of the attacks have been discussed in threads 
on this list, but it would be nice to have it all collated in one place.

I think we're simply focusing on being able to detect, and if possible 
prevent, tampering with the repository after the commit. That's a lot 
easier than determining who actually performed the attack.

> How about signing the previous signature?
>
>  ----- BEGIN PGP SIGNED MESSAGE -----
>  Comment: blah blah comments are untrusted
>
>  Repository revision: 1.5     /home/cvs/cvsroot/ifsf-sst/foo.c,v
>  Chained signature:
>    ICAgaGVsbG93b3JsZHRoaXNpc3NvbWViYXNlNjRlbmNvZGVkMTdpc3RoZWZpcnN0dHJ1bHly
>    YW5kb21udW1iZXJkYXRhZnJvbWFsaWNlc2RldmVsb3BtZW50cGMK
>  #include <stdio.h>
>
>  int main()
>  {
>    printf("hello, world!\n");
>    return 0;
>  }
>  ----- BEGIN PGP SIGNATURE -----
>  gobblegobblegobble=
>  ----- END PGP SIGNATURE -----
>  (again, or its binary equivalent)

And what if the previous signature is invalid, or discovered to be from 
a compromised key? The chain is broken, and Alice has no leg to stand 
on. Signing the delta makes each commit atomic, with no dependencies on 
the validity of previous versions. In effect, Alice says "These are the 
specific changes I made, and this is the result."

> That way Alice's good-faith commit of a backdoor introduced by Eve will
> show up Eve's later fudging of the repository to make it look as if Eve
> (who has Bob's compromised key) committed good code and Alice added the
> evil code.  Okay, you can't necessarily prove that *Eve* did it, but
> you'll be able to prove Alice's innocence when you need to.
>
> Are the GPG folk listening in on this convo?  Are there discussions on
> sci.crypt or comp.software.config-mgmt that I can follow?

Not that I'm aware of. Is it worth cross-posting this discussion to one 
of these forums?

--
Jim