Traditionally the integrity of third party software downloaded from the Internet has been verified with MD5. The MD5 sums are stored in the FreeBSD CVS Repository. This had been useful for discovering Trojans. A lot of Software vendors like e.g. Werner Koch of GnuPG sign their software with their PGP-key. Should the FreeBSD ports collection support automatic verification of these signatures?
It would increase security for FreeBSD users if these signatures could be verified during installation. I have started to add support for gpg-signatures to some of my ports (irc/bitchx, security/libgcrypt, security/libksba). Sergei Kolobov was inspired by this and submitted a patch for bsd.port.mk. Jason Harris started pushing changes into the ports tree, which resulted in some valuable feedback.
Summary: Using PGP just because it is hip, does not improve security. The following issues need to be resolved:
- Where should the signature files be stored?
- In the ports CVS Repository. Advantage: trusted. Disadvantage: Inodes wasted on every FreeBSD installation
- On the Mastersite Advantage: Signatures can be easily updated by the vendor Disadvantage: untrusted
- On the FreeBSD FTP mirrors. Advantage: trusted Disadvantage: Someone needs to upload the signatures to the mirrorservers
- How do the necessary keys get into the keyring of the User installing software?
- Fetch from the users favorites keyserver Disadvantage: Some PGP Servers are serious out of sync.
- Distribute the Keys via the FreeBSD infrastructure either via cvsup of ftp. Disadvantage: requires additional resources from the FreeBSD project
- Maintain a list of synced PGP Keyservers in the ports collection
- Where on the users Harddisk should the keys be stored
- In WRKDIR. Disadvantage: The keys have to be refechted everytime the port is updated
- In the users default keyring Disadvantage: A keyring in /root/.gnupg is installed and problems with gnupg and sudo
- In a central space in the Ports collection
- How does the user get a trust path to the software vendors keys
- Rely on the users Web of Trust. Disadvantage: Most users and some software vendors are not connected to the Web of Trust
- Sign the keys with a FreeBSD.org key Disadvantage: Additional work for the FreeBSD Committers.
- Since GnuPG is GPL Software, we should either make the PGP signature checking optional or support other OpenPGP-compatible Software
It looks like there is no easy solution, but I still hope that we will be able to support PGP sigs soon. I have probably forgotten some points, So I like to see feedback either here in this blog of on the freebsd-ports Mailinglist.