[tbb-dev] A proposal for signing commits with gpg

Matthew Finkel sysrqb at torproject.org
Tue Apr 28 23:37:35 UTC 2020


On Tue, Apr 28, 2020 at 04:42:47PM +0200, Nicolas Vigier wrote:
> Hi,
> 
> Attached is a proposal for signing commits with gpg.

Thanks!

> 
> I also added it to this branch (using number 104, although this number
> can still change before merging):
> https://gitweb.torproject.org/user/boklm/tor-browser-spec.git/commit/?h=bug_34046&id=66abcf2003c5131b24ea17d4eb164a42bff9c193
> 
> Nicolas
> 
[snip]
> 1. Motivation
> 
>   While building stable or alpha Tor Browser releases, we verify all
>   inputs using one of the following methods:
>    - verifying the checksum of downloaded files
>    - verifying the gpg signature of downloaded files
>    - verifying the gpg signature on git tags
>    - using a know git commit hash
> 
>   In nightly builds however, we need to use the master branch of some
>   components, without checking that the commit is signed. An attacker
>   who manages to take control of our git repository could potentially
>   compromise our build machines in this way. In order to remove this
>   possibility, we should sign and verify commits on all master branches
>   used in the nightly builds.

Recently I was thinking about this, too. I've seen some people dislike
signing git commits from a technical perspective, but that's because
they usually think people misuse commit signing in place of signed tags.
As I understand commit signing, your proposal uses commit signing in a
useful way. This requires a combination of compromising someone's PGP
key and either gaining control of the git server or obtaining someone's
ssh key, at least.

> 
> 2. Proposal
[snip]
> 2.2 Git repositories which should have signed commits
> 
>   The master of commit tor-browser-build.git should be signed by one of
>   the members of the Tor Browser team. Additionally, all components
>   included in Tor Browser, where the master branch is used in our
>   nightly build, should have their master commit signed by one of the
>   maintainer of those repositories.
> 
>   The current list of repositories where we use the master branch in
>   nightly builds is:
> 
>     https://git.torproject.org/pluggable-transports/goptlib.git
>     https://git.torproject.org/pluggable-transports/obfs4.git
>     https://git.torproject.org/tor-launcher.git
>     https://git.torproject.org/tor-browser.git
>     https://git.torproject.org/tor.git

As an additional step, we can shorten this list. I know there are
benefits to testing the master branch, but maybe that's not worth the
extra complexity for all of these projects. In particular, obfs4 and
goptlib are not changing frequently.

Imposing the requirement that all new commits in tor.git are signed may
be difficult. That is a conversation we should have on tor-dev at .

For tor-browser and tor-launcher, I'm in favor of moving toward this
requirement. I'll go further and suggest we follow the same process for
torbutton and tor-browser-build, but that's outside the scope of this
proposal.

Thanks,
Matt


More information about the tbb-dev mailing list