Codestin Search App

Removal of any signatures system

Posted Apr 12, 2018 17:43 UTC (Thu) by anarcat (subscriber, #66354)
In reply to: Removal of any signatures system by sumanah
Parent article: A new package index for Python

I understand. I did not quite phrase my comment correctly. :) What I was trying to say is that I'm worried about the trend of removing that certification mechanism while the newer ones are not in place yet. I understand that the system still somewhat works, but it's getting less and less useful and we don't have a good replacement ready.

For example, others have pointed out that the system is already sort of broken if you can't update the keys: for example, my certification key expires once a year and i need to update it in a few places like this to keep it working...

Right now, I feel the only integrity/authentication system that is effectively in place is really HTTPS and the X509 cartel, and the trust that we have in the integrity of the host(s) running PyPI. If any single component in there gets compromised, it's basically game over///

to post comments

Removal of any signatures system

Posted Apr 12, 2018 18:44 UTC (Thu) by dstufft (guest, #93456) [Link] (1 responses)

> What I was trying to say is that I'm worried about the trend of removing that certification mechanism while the newer ones are not in place yet. I understand that the system still somewhat works, but it's getting less and less useful and we don't have a good replacement ready.

The system still works almost entirely the same as it always has, the only differences are we're not exposing the signature in the UI anymore, and you no longer have a little text field to publish what your public key identity is for a specific user.

We've removed the PGP signatures from the UI in an attempt to de-emphasize them. They are largely pointless in their current implementation because they lack a coherent trust model that applies to the packaging domain. You could build a secure package signing protocol ontop of PGP, but you'd do so by effectively throwing out the WOT portions of PGP. Personally I'd rather remove them entirely, because I think they are 99% security theater in their current implementation, but folks argued against doing that until the replacement was in place, and the code was already written to support them, so I conceded.

As far as the removal of the little text field to publish your public key, that is gone in the new PyPI because it was 100% pointless. I don't even think it was even exposed to end users anywhere, but if it was, you couldn't actually use it for anything. If you're trying to design a secure crpytosystem ontop fo the features that PyPI has, the only point in that field would be to make a HTTPS request to PyPI to ask what the author's public key is so you could verify that the signature was made by an authorized key. However at that point you're trusting HTTPS to tell you who to trust to sign a package, and if you assume HTTPS is not trustworthy, then a malicous attacker could just tell you to use their own key rather than the author's key. So at that point any system which used that, was effectively as secure as relying only on HTTPS.

Removal of any signatures system

Posted Apr 12, 2018 21:43 UTC (Thu) by anarcat (subscriber, #66354) [Link]

In the Debian packaging workflow, OpenPGP certifications are useful. The workflow goes a bit like this:

1. software gets packaged in Debian
2. linting tools warn that PGP signatures could be checked
3. maintainer checks if upstream tarballs have a signature
4. if they do, the public key responsible for the signature is added to the Debian package
5. future updates to the package will verify the tarball with the signature, using a TOFU model

In step 4, it is useful to have the key available from PyPI instead of fishing it outside. Inciting maintainers to publish their keys on PyPI also helps in making that model work.

But again, I understand where you're coming from and I am very thankful and happy for the new PyPI. It seems you have done an awesome job with a huge project, and I didn't mean to nitpick on this pet peeve of mine. ;) So: congrats, and I'm curious to see what TUF for in PyPI in the future!