GPG signing of upstream release tags

GPG signing of upstream release tags

[David Disseldorp]

Hi,

TL;DR: release tags should be GPG signed, to allow for downstream source
       verification.

Upstream Ceph releases are currently tagged in Git by the Jenkins Build
Slave User following successful testing. Since v11.0.0/v10.0.5/v0.94.3,
these tags have not been GPG signed, so downstream consumers have no
reliable way of verifying that the source they have matches the reviewed
and tested upstream release source.

Release announcements also (AFAICT) make no mention of the tag's
corresponding SHA-1 commit hash.

IMO, failing to offer users/packagers a means of verification places too
much trust in Github[1], and could again lead to an incident similar in
severity to the previous ceph.com / download.inktank.com intrusion[2]
detected in 2015.

To address this, I propose that:
- *All* future upstream releases tags and tarballs are GPG signed by the
  release manager.
- The signing key used by the release manager is signed by Sage's GPG
  key, and / or keys of other Core Team members.
- The public key is available on Ceph.com.
- Downstream users / packagers are instructed to verify their sources.

Any thoughts?

Cheers, David

1. Github Security Vulnerability (2012)
   https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation
2. ceph.com / download.inktank.com intrusion (2015)
   http://ceph.com/releases/important-security-notice-regarding-signing-key-and-binary-downloads-of-ceph/

Re: GPG signing of upstream release tags

[Abhishek L]

David Disseldorp writes:

> Hi,
>
> TL;DR: release tags should be GPG signed, to allow for downstream source
>        verification.
>
> Upstream Ceph releases are currently tagged in Git by the Jenkins Build
> Slave User following successful testing. Since v11.0.0/v10.0.5/v0.94.3,
> these tags have not been GPG signed, so downstream consumers have no
> reliable way of verifying that the source they have matches the reviewed
> and tested upstream release source.
>
> Release announcements also (AFAICT) make no mention of the tag's
> corresponding SHA-1 commit hash.
>
> IMO, failing to offer users/packagers a means of verification places too
> much trust in Github[1], and could again lead to an incident similar in
> severity to the previous ceph.com / download.inktank.com intrusion[2]
> detected in 2015.

+1, I'll add the commit sha1 as well while doing the release
announcements. Remind me if I don't.
>
> To address this, I propose that:
> - *All* future upstream releases tags and tarballs are GPG signed by the
>   release manager.
> - The signing key used by the release manager is signed by Sage's GPG
>   key, and / or keys of other Core Team members.
> - The public key is available on Ceph.com.
> - Downstream users / packagers are instructed to verify their sources.

Currently the git tag is done via a jenkins job (which I believe calls
ansible) to do the git tag + deb package versions, since we already sign
the deb pacakges with the release key, maybe Andrew/Alfredo can comment
on how easy it would be to add gpg signing of git tags itself in the
jenkins tag workflow itself?

Best,
Abhishek

Re: GPG signing of upstream release tags

[Ken Dreyer]

On Thu, Feb 9, 2017 at 1:32 PM, Abhishek L <abhishek@suse.com> wrote:
> Since v11.0.0/v10.0.5/v0.94.3,
>> these tags have not been GPG signed, so downstream consumers have no
>> reliable way of verifying that the source they have matches the reviewed
>> and tested upstream release source.

The old ceph.com GPG key had been copied to too many places, including
some of the Jenkins slaves, which was bad. Today there is a central
signer box behind a firewall with very restricted access.

I'll talk with Andrew and Alfredo about GPG signing Git tags and
source tarballs going forward, because I think we can script something
here to make it easier. I agree that it's important.

- Ken

Re: GPG signing of upstream release tags

[David Disseldorp]

Hi,

On Thu, 9 Feb 2017 21:42:55 -0700, Ken Dreyer wrote:

> On Thu, Feb 9, 2017 at 1:32 PM, Abhishek L <abhishek@suse.com> wrote:
> > Since v11.0.0/v10.0.5/v0.94.3,  
> >> these tags have not been GPG signed, so downstream consumers have no
> >> reliable way of verifying that the source they have matches the reviewed
> >> and tested upstream release source.  
> 
> The old ceph.com GPG key had been copied to too many places, including
> some of the Jenkins slaves, which was bad. Today there is a central
> signer box behind a firewall with very restricted access.
> 
> I'll talk with Andrew and Alfredo about GPG signing Git tags and
> source tarballs going forward, because I think we can script something
> here to make it easier. I agree that it's important.

Any updates here? I notice that the Luminous tags are still missing GPG
signatures. My preference would be to have the signing done explicitly
by someone involved in the upstream release, using their own personal
keys, rather than using an automated signer box.

Cheers, David