* [qemu-web PATCH] Add public key for tarball-signing to download page
@ 2022-05-04 0:21 Michael Roth
2022-05-04 6:31 ` Thomas Huth
2022-05-04 10:40 ` Daniel P. Berrangé
0 siblings, 2 replies; 4+ messages in thread
From: Michael Roth @ 2022-05-04 0:21 UTC (permalink / raw)
To: qemu-devel; +Cc: pbonzini, peter.maydell, thuth, stefanha
We used to have public keys listed on the SecurityProcess page back
when it was still part of the wiki, but they are no longer available
there and some users have asked where to obtain them so they can verify
the tarball signatures.
That was probably not a great place for them anyway, so address this by
adding the public signing key directly to the download page.
Since a compromised tarball has a high likelyhood of coinciding with a
compromised host (in general at least), also include some information
so they can verify the correct signing key via stable tree git tags if
desired.
Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
_download/source.html | 1 +
1 file changed, 1 insertion(+)
diff --git a/_download/source.html b/_download/source.html
index 8671f4e..c0a55ac 100644
--- a/_download/source.html
+++ b/_download/source.html
@@ -23,6 +23,7 @@ make
</pre>
{% endfor %}
+ <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>. This key is also used to tag the QEMU stable releases in the official QEMU gitlab mirror, and so can be verified through git as well if there are concerns about the authenticity of this information.</p>
<p>To download and build QEMU from git:</p>
<pre>git clone https://gitlab.com/qemu-project/qemu.git
cd qemu
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [qemu-web PATCH] Add public key for tarball-signing to download page
2022-05-04 0:21 [qemu-web PATCH] Add public key for tarball-signing to download page Michael Roth
@ 2022-05-04 6:31 ` Thomas Huth
2022-05-04 9:25 ` Stefan Hajnoczi
2022-05-04 10:40 ` Daniel P. Berrangé
1 sibling, 1 reply; 4+ messages in thread
From: Thomas Huth @ 2022-05-04 6:31 UTC (permalink / raw)
To: Michael Roth, qemu-devel; +Cc: pbonzini, peter.maydell, stefanha
On 04/05/2022 02.21, Michael Roth wrote:
> We used to have public keys listed on the SecurityProcess page back
> when it was still part of the wiki, but they are no longer available
> there and some users have asked where to obtain them so they can verify
> the tarball signatures.
>
> That was probably not a great place for them anyway, so address this by
> adding the public signing key directly to the download page.
>
> Since a compromised tarball has a high likelyhood of coinciding with a
> compromised host (in general at least), also include some information
> so they can verify the correct signing key via stable tree git tags if
> desired.
>
> Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Michael Roth <michael.roth@amd.com>
> ---
> _download/source.html | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/_download/source.html b/_download/source.html
> index 8671f4e..c0a55ac 100644
> --- a/_download/source.html
> +++ b/_download/source.html
> @@ -23,6 +23,7 @@ make
> </pre>
> {% endfor %}
>
> + <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>.
I'd maybe rather use 3353C9CEF108B584 instead of just F108B584 between the
<a> and </a>, since short key IDs are a no-go nowadays.
Apart from that:
Reviewed-by: Thomas Huth <thuth@redhat.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [qemu-web PATCH] Add public key for tarball-signing to download page
2022-05-04 6:31 ` Thomas Huth
@ 2022-05-04 9:25 ` Stefan Hajnoczi
0 siblings, 0 replies; 4+ messages in thread
From: Stefan Hajnoczi @ 2022-05-04 9:25 UTC (permalink / raw)
To: Thomas Huth; +Cc: Michael Roth, qemu-devel, pbonzini, peter.maydell
[-- Attachment #1: Type: text/plain, Size: 1644 bytes --]
On Wed, May 04, 2022 at 08:31:24AM +0200, Thomas Huth wrote:
> On 04/05/2022 02.21, Michael Roth wrote:
> > We used to have public keys listed on the SecurityProcess page back
> > when it was still part of the wiki, but they are no longer available
> > there and some users have asked where to obtain them so they can verify
> > the tarball signatures.
> >
> > That was probably not a great place for them anyway, so address this by
> > adding the public signing key directly to the download page.
> >
> > Since a compromised tarball has a high likelyhood of coinciding with a
> > compromised host (in general at least), also include some information
> > so they can verify the correct signing key via stable tree git tags if
> > desired.
> >
> > Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
> > Signed-off-by: Michael Roth <michael.roth@amd.com>
> > ---
> > _download/source.html | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/_download/source.html b/_download/source.html
> > index 8671f4e..c0a55ac 100644
> > --- a/_download/source.html
> > +++ b/_download/source.html
> > @@ -23,6 +23,7 @@ make
> > </pre>
> > {% endfor %}
> > + <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>.
>
> I'd maybe rather use 3353C9CEF108B584 instead of just F108B584 between the
> <a> and </a>, since short key IDs are a no-go nowadays.
Yes, AFAIK 32-bit key IDs are considered insecure and 64-bit should be
used.
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [qemu-web PATCH] Add public key for tarball-signing to download page
2022-05-04 0:21 [qemu-web PATCH] Add public key for tarball-signing to download page Michael Roth
2022-05-04 6:31 ` Thomas Huth
@ 2022-05-04 10:40 ` Daniel P. Berrangé
1 sibling, 0 replies; 4+ messages in thread
From: Daniel P. Berrangé @ 2022-05-04 10:40 UTC (permalink / raw)
To: Michael Roth; +Cc: qemu-devel, pbonzini, peter.maydell, thuth, stefanha
On Tue, May 03, 2022 at 07:21:29PM -0500, Michael Roth wrote:
> We used to have public keys listed on the SecurityProcess page back
> when it was still part of the wiki, but they are no longer available
> there and some users have asked where to obtain them so they can verify
> the tarball signatures.
>
> That was probably not a great place for them anyway, so address this by
> adding the public signing key directly to the download page.
>
> Since a compromised tarball has a high likelyhood of coinciding with a
> compromised host (in general at least), also include some information
> so they can verify the correct signing key via stable tree git tags if
> desired.
>
> Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Michael Roth <michael.roth@amd.com>
> ---
> _download/source.html | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/_download/source.html b/_download/source.html
> index 8671f4e..c0a55ac 100644
> --- a/_download/source.html
> +++ b/_download/source.html
> @@ -23,6 +23,7 @@ make
> </pre>
> {% endfor %}
>
> + <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>. This key is also used to tag the QEMU stable releases in the official QEMU gitlab mirror, and so can be verified through git as well if there are concerns about the authenticity of this information.</p>
Line wrap your text at 80 cols please.
Also when downloading the key from that link, it does not contain any
user IDs, which does not fill me with confidence as someone wanting
to verify QEMU releases. Is there a link we can use which has the
user IDs in the key ?
I don't think we need to put the caveat about authenticity in the
last sentance, as that's just needlessly sowing seeds of doubt
IMHO. Lets keep is simple & clearly identify the key owner, so people can
match what they download against what we display, thus:
<p>Git tags and source tarballs for official QEMU releases are signed by
the release manager using
<a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">this GPG Public Key</a>:
</p>
<pre>
pub rsa2048/0x3353C9CEF108B584 2013-10-18 [SC]
Key fingerprint = CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584
uid Michael Roth <flukshun@gmail.com>
uid Michael Roth <mdroth@utexas.edu>
uid Michael Roth <mdroth@linux.vnet.ibm.com>
sub rsa2048/0x3B0B7D75D7AC684E 2013-10-18 [E]
</pre>
Might be good to republish your key with updated UID for your AMD email
addr too, so there's an unambiguous connection between the email addr
you use you announce releases on the mailing list and the key used to
sign.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-05-04 11:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-04 0:21 [qemu-web PATCH] Add public key for tarball-signing to download page Michael Roth
2022-05-04 6:31 ` Thomas Huth
2022-05-04 9:25 ` Stefan Hajnoczi
2022-05-04 10:40 ` Daniel P. Berrangé
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).