GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits

Previous Next

Full log

View this message in rfc822 format

From: Ihor Radchenko <yantar92 <at> posteo.net>
To: Daniel Mendler <mail <at> daniel-mendler.de>
Cc: 61277 <at> debbugs.gnu.org, stefan <at> marxist.se, monnier <at> iro.umontreal.ca
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Date: Sun, 05 Feb 2023 11:19:59 +0000

Daniel Mendler <mail <at> daniel-mendler.de> writes:

> My git commits are usually signed, so one could check the signature of
> each commit which leads to a package build. This feature could be opt-in
> for now, enabled via an attribute :signature in the elpa-packages
> configuration. Maybe elpa-packages could store the fingerprint(s) of the
> expected GPG key(s)?

I think that requiring every single commit to be signed is an overkill.
Maybe just the release tags?

I guess, :signature, if optional, may allow multiple levels of
verification:
1. nil :: no verification
2. (tags key1 key2 ...) :: verify release tags to match any of the
   listed GPG keys
3. (commits key1 key2 ...) :: verify every commit   

I am not sure what would be the most reliable way to specify the keys.

Also, people with write access to ELPA repo may be required to sign
their commits -- in the case of security breach if the SSH key gets
stolen, signing may be a barrier to protect altering the elpa-packages
configuration from injecting malicious GPG keys.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.