Matthew Finkel:
On Tue, Apr 28, 2020 at 04:42:47PM +0200, Nicolas Vigier wrote:
Hi,
Attached is a proposal for signing commits with gpg.
Thanks!
I also added it to this branch (using number 104, although this number can still change before merging): https://gitweb.torproject.org/user/boklm/tor-browser-spec.git/commit/?h=bug_...
Nicolas
[snip]
- Motivation
While building stable or alpha Tor Browser releases, we verify all inputs using one of the following methods:
- verifying the checksum of downloaded files
- verifying the gpg signature of downloaded files
- verifying the gpg signature on git tags
- using a know git commit hash
In nightly builds however, we need to use the master branch of some components, without checking that the commit is signed. An attacker who manages to take control of our git repository could potentially compromise our build machines in this way. In order to remove this possibility, we should sign and verify commits on all master branches used in the nightly builds.
Recently I was thinking about this, too. I've seen some people dislike signing git commits from a technical perspective, but that's because they usually think people misuse commit signing in place of signed tags. As I understand commit signing, your proposal uses commit signing in a useful way. This requires a combination of compromising someone's PGP key and either gaining control of the git server or obtaining someone's ssh key, at least.
- Proposal
[snip]
2.2 Git repositories which should have signed commits
The master of commit tor-browser-build.git should be signed by one of the members of the Tor Browser team. Additionally, all components included in Tor Browser, where the master branch is used in our nightly build, should have their master commit signed by one of the maintainer of those repositories.
The current list of repositories where we use the master branch in nightly builds is:
https://git.torproject.org/pluggable-transports/goptlib.git https://git.torproject.org/pluggable-transports/obfs4.git https://git.torproject.org/tor-launcher.git https://git.torproject.org/tor-browser.git https://git.torproject.org/tor.gitAs an additional step, we can shorten this list. I know there are benefits to testing the master branch, but maybe that's not worth the extra complexity for all of these projects. In particular, obfs4 and goptlib are not changing frequently.
Imposing the requirement that all new commits in tor.git are signed may be difficult. That is a conversation we should have on tor-dev@.
For tor-browser and tor-launcher, I'm in favor of moving toward this requirement. I'll go further and suggest we follow the same process for torbutton and tor-browser-build, but that's outside the scope of this
tor-browser-build is included in the proposal fwiw and is important.
Georg