Codestin Search App

Removal of any signatures system

Posted Apr 12, 2018 17:25 UTC (Thu) by mmerickel (guest, #117211)
In reply to: Removal of any signatures system by sumanah
Parent article: A new package index for Python

So we can sign releases with the keys we already added to our accounts but we can't change, upload or view keys on the web ui. We're stuck with whatever we put into the system before the switch in a couple weeks.

Removal of any signatures system

Posted Apr 12, 2018 18:34 UTC (Thu) by dstufft (guest, #93456) [Link] (2 responses)

This is incorrect.

There were two distinct features that dealt with PGP signatures on PyPI:

1. The ability to associate a PGP key identity with your user account.
2. The ability to upload a detached signature alongside the file during upload, and having that available for download, and displayed in the UI.

These two features were, as far as the code itself was concerned, entirely unrelated. You could (and still can) submit a detached signature using any key that you possess regardless of what PyPI thinks your public key is via the mechanism in (1). The only purpose to the mechanism in (1) is to allow people to discover what your public key is, theoretically to them allow them to validate the signatures if you used that public key.

So what's changed in the new PyPI?

Well (1) is gone, because it is almost entirely pointless. The only way to add or get the information stored in that field is using a HTTP request protected by TLS. If you rely on trusting that field, then the security of the system you've created devolves into trusting TLS, and if you're trusting TLS then you might as well trust TLS for everything and not just one part of it.

(2) still exists and works, you can still sign files with whatever key you possess and upload a detached signature as part of the file upload. The only thing that has changed in regards to (2) is that we will no longer indicate in the UI if a file has been PGP signed or not, nor provide a link in the UI to download it. The file is still available for download (using the URL specified in PEP 503) and it is still possible to upload signatures.

Removal of any signatures system

Posted Apr 12, 2018 18:52 UTC (Thu) by anarcat (subscriber, #66354) [Link] (1 responses)

What's interesting with (1) is that it does make the pypi x509 a trust anchor that can be used to fetch OpenPGP keys that can then be used in a TOFU manner. By removing this, that task is relegated to the keyservers which we know to have hostile material because of their open nature...

So I don't think (1) was completely pointless: more channels to verify OpenPGP keys is always a good thing... I understand you're taking the direction of TUF to fix that problem, but I figured that *removing* the feature wasn't exactly necessary in order to get there...

Of course, maybe it's the reverse and the feature was never implemented in Warehouse in which case I understand better the decision: no need implementing a feature in a "wrong" way that will be implemented in another "better" way later. :)

Thanks for the clarification!

Removal of any signatures system

Posted Apr 12, 2018 19:04 UTC (Thu) by dstufft (guest, #93456) [Link]

> Of course, maybe it's the reverse and the feature was never implemented in Warehouse in which case I understand better the decision: no need implementing a feature in a "wrong" way that will be implemented in another "better" way later. :)

Yea, that feature was never implemented in Warehouse (other than modeling the database tables needed to support it so our auto migration scripts wouldn't try to remove them).