[tbb-dev] A proposal for signing commits with gpg

Georg Koppen gk at torproject.org
Wed Apr 29 06:03:58 UTC 2020 

Matthew Finkel:
> On Tue, Apr 28, 2020 at 04:42:47PM +0200, Nicolas Vigier wrote:
>> Hi,
>>
>> Attached is a proposal for signing commits with gpg.
> 
> Thanks!
> 
>>
>> I also added it to this branch (using number 104, although this number
>> can still change before merging):
>> https://gitweb.torproject.org/user/boklm/tor-browser-spec.git/commit/?h=bug_34046&id=66abcf2003c5131b24ea17d4eb164a42bff9c193
>>
>> Nicolas
>>
> [snip]
>> 1. Motivation
>>
>>   While building stable or alpha Tor Browser releases, we verify all
>>   inputs using one of the following methods:
>>    - verifying the checksum of downloaded files
>>    - verifying the gpg signature of downloaded files
>>    - verifying the gpg signature on git tags
>>    - using a know git commit hash
>>
>>   In nightly builds however, we need to use the master branch of some
>>   components, without checking that the commit is signed. An attacker
>>   who manages to take control of our git repository could potentially
>>   compromise our build machines in this way. In order to remove this
>>   possibility, we should sign and verify commits on all master branches
>>   used in the nightly builds.
> 
> Recently I was thinking about this, too. I've seen some people dislike
> signing git commits from a technical perspective, but that's because
> they usually think people misuse commit signing in place of signed tags.
> As I understand commit signing, your proposal uses commit signing in a
> useful way. This requires a combination of compromising someone's PGP
> key and either gaining control of the git server or obtaining someone's
> ssh key, at least.
> 
>>
>> 2. Proposal
> [snip]
>> 2.2 Git repositories which should have signed commits
>>
>>   The master of commit tor-browser-build.git should be signed by one of
>>   the members of the Tor Browser team. Additionally, all components
>>   included in Tor Browser, where the master branch is used in our
>>   nightly build, should have their master commit signed by one of the
>>   maintainer of those repositories.
>>
>>   The current list of repositories where we use the master branch in
>>   nightly builds is:
>>
>>     https://git.torproject.org/pluggable-transports/goptlib.git
>>     https://git.torproject.org/pluggable-transports/obfs4.git
>>     https://git.torproject.org/tor-launcher.git
>>     https://git.torproject.org/tor-browser.git
>>     https://git.torproject.org/tor.git
> 
> As an additional step, we can shorten this list. I know there are
> benefits to testing the master branch, but maybe that's not worth the
> extra complexity for all of these projects. In particular, obfs4 and
> goptlib are not changing frequently.
> 
> Imposing the requirement that all new commits in tor.git are signed may
> be difficult. That is a conversation we should have on tor-dev at .
> 
> For tor-browser and tor-launcher, I'm in favor of moving toward this
> requirement. I'll go further and suggest we follow the same process for
> torbutton and tor-browser-build, but that's outside the scope of this

tor-browser-build is included in the proposal fwiw and is important.

Georg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20200429/6f786c7b/attachment-0001.sig>

More information about the tbb-dev mailing list