Stream: Coq devs & plugin devs

Topic: Verifying signatures of Coq release tarballs


view this post on Zulip Karl Palmskog (Jun 15 2020 at 08:10):

does an RM sign source tarballs? If not, why not?

view this post on Zulip Karl Palmskog (Jun 15 2020 at 10:12):

I think it makes sense (in adversarial settings) that one should be able to verify that the tarball checksum of a Coq release is endorsed by the RM, e.g., it could be that someone who is not the RM edits the GitHub release posthoc, submits updated package with updated checksum to OPAM, which we then all install. With proper signing, and under normal crypto assumptions, this could only happen if the RM GPG key was compromised.

Moreover, this is also an argument for better advertisement/visibility of RMs and their respective public keys.

view this post on Zulip Enrico Tassi (Jun 15 2020 at 11:43):

We do sign merge commits and tags as devs. I was expecting the tarballs to be just a git archive of a signed tag? Isn't it the case? Before git we were putting tarballs on a website and signing a asc file IIRC, but with git I don't see the point of it (the tarball is a reproducible artifact of a signed tag)

view this post on Zulip Karl Palmskog (Jun 15 2020 at 11:45):

for 8.11.2, the commit signature is different from the fingerprint given by Pierre-Marie above: 7922C01FD9BA3C7B

view this post on Zulip Karl Palmskog (Jun 15 2020 at 11:47):

where are we supposed to look to connect GitHub accounts with keyserver identities?

view this post on Zulip Karl Palmskog (Jun 15 2020 at 11:49):

to be honest, reproducing tarballs from a Git commit is a chore, has anyone verified that this works reliably? That is, bit-level equality can be obtained with the "official" tarball.

view this post on Zulip Enrico Tassi (Jun 15 2020 at 11:49):

Screenshot-from-2020-06-15-13-47-36.png

view this post on Zulip Karl Palmskog (Jun 15 2020 at 11:49):

yes, I am saying that the signature is different from what is given above here

view this post on Zulip Enrico Tassi (Jun 15 2020 at 11:50):

let me check...

view this post on Zulip Enrico Tassi (Jun 15 2020 at 11:52):

$ git verify-commit 1539a9a0d894ea9e24e3d0e163006d6477646ec6
gpg: Signature made jeu. 14 mai 2020 22:29:39 CEST
gpg:                using RSA key BA47A91F9104E72184D70F6D7922C01FD9BA3C7B

view this post on Zulip Karl Palmskog (Jun 15 2020 at 11:56):

so how do I reproduce the tarball from that locally?

view this post on Zulip Enrico Tassi (Jun 15 2020 at 11:56):

(but it is not in my keyring, I'll try to download later)

view this post on Zulip Enrico Tassi (Jun 15 2020 at 11:59):

Google says git archive --format=tar.gz -o /tmp/my-repo.tar.gz --prefix=my-repo/ master, I don't know if they use the exact same command. I've to go now

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:07):

gares@ollypat:~/COQ/master$ wget https://github.com/coq/coq/archive/V8.11.2.tar.gz
...
gares@ollypat:~/COQ/master$ sha256sum V8.11.2.tar.gz
98cb9e12ba2508a1ca59e0c638fce27bf95c37082b6f7ce355779b80b25e1bfd  V8.11.2.tar.gz
gares@ollypat:~/COQ/master$ git archive --format=tar.gz --prefix=coq-8.11.2/ -o /tmp/x.tar.gz V8.11.2
gares@ollypat:~/COQ/master$ sha256sum /tmp/x.tar.gz
98cb9e12ba2508a1ca59e0c638fce27bf95c37082b6f7ce355779b80b25e1bfd  /tmp/x.tar.gz

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:08):

everything looks in order to me, but I don't have a "proof" that the key belongs to PMP, I've never keysigned with him.

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:09):

Enrico Tassi said:

$ git verify-commit 1539a9a0d894ea9e24e3d0e163006d6477646ec6
gpg: Signature made jeu. 14 mai 2020 22:29:39 CEST
gpg:                using RSA key BA47A91F9104E72184D70F6D7922C01FD9BA3C7B

@Pierre-Marie Pédrot do you have a time machine ;-)

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:10):

It says 14 May ;-)

view this post on Zulip Karl Palmskog (Jun 15 2020 at 12:11):

I see, the main disconnection I see is then between BA47A91F9104E72184D70F6D7922C01FD9BA3C7B and 7922C01FD9BA3C7B. I guess there is some git command stuff for that?

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:12):

Key "ids" are the long thing, you got the last bytes there (this is usually the "short id" of a key)

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:13):

It works like git sha1, but IIRC you take the tail rather than the head ;-)

view this post on Zulip Karl Palmskog (Jun 15 2020 at 12:14):

OK thanks, if you don't mind I will post this to the Coq wiki (if something similar is not already there)

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:15):

The only missing bit, on my PC, is that I've never keysigned with @Pierre-Marie Pédrot so he never told me in person that that fingerprint is indeed his. He did in this chat, but he was not even trolling a bit, so I can't be 100% sure he was himself ;-)

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:15):

You are welcome to do that.

view this post on Zulip Karl Palmskog (Jun 15 2020 at 12:16):

you seem to have cross-signed with him? https://pgp.cs.uu.nl/stats/7922c01fd9ba3c7b.html

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:17):

oops, then my local db is not up to date, let me fetch

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:18):

Oh yes. Then the tarball is definitely his work!
```gares@ollypat:~/COQ/document-manager$ gpg --receive-keys BA47A91F9104E72184D70F6D7922C01FD9BA3C7B
gpg: key 7922C01FD9BA3C7B: 4 signatures not checked due to missing keys
gpg: key 7922C01FD9BA3C7B: public key "Pierre-Marie Pédrot (pierre-marie.pedrot@irif.fr) <pierre-marie.pedrot@irif.fr>" imported
gpg: marginals needed: 3 completes needed: 1 trust model: classic
gpg: depth: 0 valid: 5 signed: 31 trust: 0-, 0q, 0n, 0m, 0f, 5u
gpg: depth: 1 valid: 31 signed: 26 trust: 29-, 0q, 0n, 0m, 2f, 0u
gpg: depth: 2 valid: 7 signed: 14 trust: 6-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2020-08-04
gpg: Total number processed: 1
gpg: imported: 1
gares@ollypat:~/COQ/document-manager$ git verify-commit 1539a9a0d894ea9e24e3d0e163006d6477646ec6
gpg: Signature made jeu. 14 mai 2020 22:29:39 CEST
gpg: using RSA key BA47A91F9104E72184D70F6D7922C01FD9BA3C7B
gpg: Good signature from "Pierre-Marie Pédrot (pierre-marie.pedrot@irif.fr) <pierre-marie.pedrot@irif.fr>" [unknown]
gpg: aka "Pierre-Marie Pédrot <pierre-marie.pedrot@inria.fr>" [full]


view this post on Zulip Karl Palmskog (Jun 15 2020 at 12:18):

of course, nobody has verified that PMP is the RM of 8.11. Arguably this would/should be done by Matthieu? Also, if there are two RMs, shouldn't they both sign the tag/commit? (Yes, pushing this way too far, but for sake of argument)

view this post on Zulip Théo Zimmermann (Jun 15 2020 at 12:45):

Karl Palmskog said:

of course, nobody has verified that PMP is the RM of 8.11. Arguably this would/should be done by Matthieu? Also, if there are two RMs, shouldn't they both sign the tag/commit? (Yes, pushing this way too far, but for sake of argument)

Aren't you going a bit far? The RM is written down in the changelog in the manual (which is in the sources (where all PRs are integrated through signed merge commits)).

view this post on Zulip Karl Palmskog (Jun 15 2020 at 12:46):

ah, but do those changelogs specify the signatures/keys of the RMs?

view this post on Zulip Théo Zimmermann (Jun 15 2020 at 12:47):

Ah no, they don't.

view this post on Zulip Théo Zimmermann (Jun 15 2020 at 12:47):

Since we are signing merge commits, I think we should organize key signing parties next time we meet physically.

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:50):

I don't see the problem is with the scenario "trusted dev X makes a release without being (officially) appointed RM".

view this post on Zulip Karl Palmskog (Jun 15 2020 at 12:50):

extremely paranoid people like myself would consider it suspicious

view this post on Zulip Karl Palmskog (Jun 15 2020 at 12:51):

https://github.com/coq/coq/wiki/VerifyingReleases

view this post on Zulip Enrico Tassi (Jun 15 2020 at 12:52):

Thanks for the write up, +1 for key signing parties.

view this post on Zulip Karl Palmskog (Jun 15 2020 at 12:53):

btw, isn't this kind of stuff something that would be required for Common Criteria certification and similar?

view this post on Zulip Karl Palmskog (Jun 15 2020 at 12:59):

OK, so the process for PM certification would be something like the following:

view this post on Zulip Karl Palmskog (Jun 15 2020 at 13:06):

this would all break down if RM #n got ill or similar, which is why it makes sense to have two RMs per release.

view this post on Zulip Pierre-Marie Pédrot (Jun 15 2020 at 13:13):

extremely paranoid people like myself would consider it suspicious

You should consider all my kernel patches to be extremely suspicious then...

view this post on Zulip Karl Palmskog (Jun 15 2020 at 13:16):

there is no protection here against RMs going rogue (or failing to prevent other contributors from going rogue), but at least one can trace a chain of successors, so it will go down in flames like Aurelius passing the Roman Empire to Commodus, rather than by barbarian invasion

view this post on Zulip Pierre-Marie Pédrot (Jun 15 2020 at 13:19):

first time I see summoning Roman history to explain trust in software development...

view this post on Zulip Karl Palmskog (Jun 15 2020 at 13:47):

ah, glad I had the opportunity before it becomes a Watson'ing offense...

view this post on Zulip Cyril Cohen (Jun 15 2020 at 14:49):

Karl Palmskog said:

so how do I reproduce the tarball from that locally?

In mathcomp I reproduce the tarballs locally in etc/utils/packager, I reverse engineered the following:

ARCHIVE=$(mktemp)
PREFIX=$(echo math-comp-$TAG | sed "s/\+/-/")
git archive --format=tgz --output=$ARCHIVE \
    --prefix=$PREFIX/ $TAG # reproduce github archive
SUM=$(sha256sum $ARCHIVE | cut -d " " -f 1)

(given ARCHIVEURL="https://github.com/math-comp/math-comp/archive/$TAG.tar.gz" )

view this post on Zulip Karl Palmskog (Jun 15 2020 at 14:53):

@Cyril Cohen so do you also have a "rolling RM" system for MathComp now?

view this post on Zulip Cyril Cohen (Jun 15 2020 at 14:54):

Karl Palmskog said:

Cyril Cohen so do you also have a "rolling RM" system for MathComp now?

We do.

view this post on Zulip Karl Palmskog (Jun 15 2020 at 14:57):

ah, then I will have to be (equally?) paranoid there as well. I hope a few MC devs get included in any future keysigning party.

view this post on Zulip Cyril Cohen (Jun 15 2020 at 14:58):

Karl Palmskog said:

ah, then I will have to be (equally?) paranoid there as well. I hope a few MC devs get included in any future keysigning party.

We do not sign the releases anyway :oops: but we should start asap

view this post on Zulip Enrico Tassi (Jun 15 2020 at 15:00):

We should sign the tags!

view this post on Zulip Enrico Tassi (Jun 15 2020 at 15:01):

Note that GH does a "soft signature" of tags you create from the web UI IIRC

view this post on Zulip Enrico Tassi (Jun 15 2020 at 15:02):

(I don't know what it does exactly, but you a get a non-gpg verified label somewhere. I belieev it means verifies w.r.t. GH authentication, which you may not trust, but is better than an anonymous push)

view this post on Zulip Karl Palmskog (Jun 15 2020 at 15:03):

Cyril Cohen said:

We do not sign the releases anyway :oops: but we should start asap

I hope you can also pinpoint future RMs (and ideally their keys) in your CHANGELOG.md

view this post on Zulip Enrico Tassi (Jun 15 2020 at 15:06):

My "problem" with this signature is that I'd like MC release process to be OK for non geeks to. Here https://github.com/math-comp/math-comp/wiki/Howto-Release#release I suggested to do the tag via GH (which does the soft signing) since GPG has a masochistic UI and I would not inflict it on anyone. I believe my motivation/opinion on this is not unanimous, but at least explain how things are in MC.

view this post on Zulip Théo Zimmermann (Jun 15 2020 at 15:08):

I care very much for accessibility of the contributing process too.

view this post on Zulip Théo Zimmermann (Jun 15 2020 at 15:08):

And our requirement of signing merge commits is a barrier of entry, which I hoped to lift by making it possible for members of the pushers team to merge by calling the bot to the rescue.

view this post on Zulip Enrico Tassi (Jun 15 2020 at 15:08):

Similarly I'm not happy switching MC to a script-based merge process as we do in Coq, or push the process towards the tons of rebases we do in Coq, but I never had to push too much for this.

view this post on Zulip Enrico Tassi (Jun 15 2020 at 15:10):

Asking a non-geek "hey, please rebase since there is a trivial conflict in the changes files" seems like shooting yourself in the foot to me.

view this post on Zulip Enrico Tassi (Jun 15 2020 at 15:10):

We do this a lot in Coq (but not for the changes...)

view this post on Zulip Enrico Tassi (Jun 15 2020 at 15:11):

I'm not saying it is wrong in the context of Coq, but I believe MC users and potential contributors are less acquainted to git or gpg gimmicks.

view this post on Zulip Karl Palmskog (Jun 15 2020 at 15:12):

simple rebase is one thing and is at least in the realm of being teachable, but I think the limit may be at: "please refactor your commits into 5 units with the following granularity and commit message format"

view this post on Zulip Enrico Tassi (Jun 15 2020 at 15:15):

Believe me when I say that even convincing some users to fire up gitk to actually see the status of thie branch is not obvious ;-) (with the objective of then explaining the command line gimmicks in terms of actions on the DAG). I would rule out rebase completely.

view this post on Zulip Enrico Tassi (Jun 15 2020 at 15:16):

The PR assignee can do it of course, but asking the contributors... it really depends if you know the contributor IMO.

view this post on Zulip Théo Zimmermann (Jun 15 2020 at 15:23):

Yep, when you don't know the contributor, it might be a good idea for the PR assignee to take care of trivial rebases, especially when this is the last thing blocking a merge.


Last updated: Oct 16 2021 at 07:02 UTC