While installing some dependencies I came across this.
What security is gained when validating a download with an OpenPGP key downloaded from the same source, besides the corruption of the file?
Asked
Active
Viewed 42 times
2
-
Pretty much none by itself if it’s like yarn and you only download it this way once and use the package manager itself for future upgrades, but you can check the key’s fingerprint against other people’s copies, against other installations you might have made, or against other more trustworthy sources. Can’t do that as effectively with `latest.tar.gz` itself because it changes. – Ry- Oct 15 '17 at 08:52
-
Probably you can validate the GPG key with its signatures. – i486 Oct 15 '17 at 08:52
-
I consider this question very well on topic for Stack Overflow, as it discusses fetching keys from repositories in a development environment. – Jens Erat Oct 15 '17 at 09:48
1 Answers
1
There are several reasons for providing the key at the same source.
Trust on First Use
This concepts expects that the download source is not compromised when you access it for the first time -- for example, during development phase from some development client. Explicitly pinning the key to the one downloaded protects you from attacks on the download source during later phases, for example for unattended builds on some build server.
Fetching an Updated Copy of the Key
A key location next to the source code is very handy if you already know the fingerprint of the primary key (ie., pinned the key as discussed above), but want to update the key with respect to subkeys, certifications, user IDs without accessing key servers. Lots of enterprise build servers have very strict firewall rules set up, accessing key servers might be out of scope (but you obviously have access to the source code for building it). Also, you often want to remove access to third-party resources as they imply another source of issues like availability, ...
Especially updating subkeys is very important: a good OpenPGP practice is to have a long-lasting primary key and exchanging subkeys in given intervals, or using different subkeys for different build servers. By pinning the primary key's fingerprint and importing a fresh copy of the key each time you validate a third-party resource, you can be sure about having an up-to-date copy of the key including subkeys.
A Starting Point to Validate the Key
OpenPGP keys can have certifications by other keys on it. After importing, there is probably no trust path from other validated and trusted OpenPGP keys yet, but having the key and its certifications imported is a starting point for finding such a path. For example, developers of an open source project might certify the project key.
Fetching the unvalidated key from the source repository is a starting point for performing such a validation.
Jens Erat
- 37,523
- 16
- 80
- 96