| Message ID | 20220504002129.286001-1-michael.roth@amd.com |
|---|---|
| State | New |
| Headers | show |
| Series | [qemu-web] Add public key for tarball-signing to download page | expand |
On 04/05/2022 02.21, Michael Roth wrote: > We used to have public keys listed on the SecurityProcess page back > when it was still part of the wiki, but they are no longer available > there and some users have asked where to obtain them so they can verify > the tarball signatures. > > That was probably not a great place for them anyway, so address this by > adding the public signing key directly to the download page. > > Since a compromised tarball has a high likelyhood of coinciding with a > compromised host (in general at least), also include some information > so they can verify the correct signing key via stable tree git tags if > desired. > > Reported-by: Stefan Hajnoczi <stefanha@redhat.com> > Signed-off-by: Michael Roth <michael.roth@amd.com> > --- > _download/source.html | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/_download/source.html b/_download/source.html > index 8671f4e..c0a55ac 100644 > --- a/_download/source.html > +++ b/_download/source.html > @@ -23,6 +23,7 @@ make > </pre> > {% endfor %} > > + <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>. I'd maybe rather use 3353C9CEF108B584 instead of just F108B584 between the <a> and </a>, since short key IDs are a no-go nowadays. Apart from that: Reviewed-by: Thomas Huth <thuth@redhat.com>
On Wed, May 04, 2022 at 08:31:24AM +0200, Thomas Huth wrote: > On 04/05/2022 02.21, Michael Roth wrote: > > We used to have public keys listed on the SecurityProcess page back > > when it was still part of the wiki, but they are no longer available > > there and some users have asked where to obtain them so they can verify > > the tarball signatures. > > > > That was probably not a great place for them anyway, so address this by > > adding the public signing key directly to the download page. > > > > Since a compromised tarball has a high likelyhood of coinciding with a > > compromised host (in general at least), also include some information > > so they can verify the correct signing key via stable tree git tags if > > desired. > > > > Reported-by: Stefan Hajnoczi <stefanha@redhat.com> > > Signed-off-by: Michael Roth <michael.roth@amd.com> > > --- > > _download/source.html | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/_download/source.html b/_download/source.html > > index 8671f4e..c0a55ac 100644 > > --- a/_download/source.html > > +++ b/_download/source.html > > @@ -23,6 +23,7 @@ make > > </pre> > > {% endfor %} > > + <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>. > > I'd maybe rather use 3353C9CEF108B584 instead of just F108B584 between the > <a> and </a>, since short key IDs are a no-go nowadays. Yes, AFAIK 32-bit key IDs are considered insecure and 64-bit should be used. Stefan
On Tue, May 03, 2022 at 07:21:29PM -0500, Michael Roth wrote: > We used to have public keys listed on the SecurityProcess page back > when it was still part of the wiki, but they are no longer available > there and some users have asked where to obtain them so they can verify > the tarball signatures. > > That was probably not a great place for them anyway, so address this by > adding the public signing key directly to the download page. > > Since a compromised tarball has a high likelyhood of coinciding with a > compromised host (in general at least), also include some information > so they can verify the correct signing key via stable tree git tags if > desired. > > Reported-by: Stefan Hajnoczi <stefanha@redhat.com> > Signed-off-by: Michael Roth <michael.roth@amd.com> > --- > _download/source.html | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/_download/source.html b/_download/source.html > index 8671f4e..c0a55ac 100644 > --- a/_download/source.html > +++ b/_download/source.html > @@ -23,6 +23,7 @@ make > </pre> > {% endfor %} > > + <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>. This key is also used to tag the QEMU stable releases in the official QEMU gitlab mirror, and so can be verified through git as well if there are concerns about the authenticity of this information.</p> Line wrap your text at 80 cols please. Also when downloading the key from that link, it does not contain any user IDs, which does not fill me with confidence as someone wanting to verify QEMU releases. Is there a link we can use which has the user IDs in the key ? I don't think we need to put the caveat about authenticity in the last sentance, as that's just needlessly sowing seeds of doubt IMHO. Lets keep is simple & clearly identify the key owner, so people can match what they download against what we display, thus: <p>Git tags and source tarballs for official QEMU releases are signed by the release manager using <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">this GPG Public Key</a>: </p> <pre> pub rsa2048/0x3353C9CEF108B584 2013-10-18 [SC] Key fingerprint = CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584 uid Michael Roth <flukshun@gmail.com> uid Michael Roth <mdroth@utexas.edu> uid Michael Roth <mdroth@linux.vnet.ibm.com> sub rsa2048/0x3B0B7D75D7AC684E 2013-10-18 [E] </pre> Might be good to republish your key with updated UID for your AMD email addr too, so there's an unambiguous connection between the email addr you use you announce releases on the mailing list and the key used to sign. With regards, Daniel
diff --git a/_download/source.html b/_download/source.html index 8671f4e..c0a55ac 100644 --- a/_download/source.html +++ b/_download/source.html @@ -23,6 +23,7 @@ make </pre> {% endfor %} + <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>. This key is also used to tag the QEMU stable releases in the official QEMU gitlab mirror, and so can be verified through git as well if there are concerns about the authenticity of this information.</p> <p>To download and build QEMU from git:</p> <pre>git clone https://gitlab.com/qemu-project/qemu.git cd qemu
We used to have public keys listed on the SecurityProcess page back when it was still part of the wiki, but they are no longer available there and some users have asked where to obtain them so they can verify the tarball signatures. That was probably not a great place for them anyway, so address this by adding the public signing key directly to the download page. Since a compromised tarball has a high likelyhood of coinciding with a compromised host (in general at least), also include some information so they can verify the correct signing key via stable tree git tags if desired. Reported-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Michael Roth <michael.roth@amd.com> --- _download/source.html | 1 + 1 file changed, 1 insertion(+)