[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
|
|
Subscribe / Log in / New account

Insecure dev machines.

Insecure dev machines.

Posted Oct 22, 2024 8:40 UTC (Tue) by epa (subscriber, #39769)
In reply to: Insecure dev machines. by LtWorf
Parent article: Python PGP proposal poses packaging puzzles

But if a developer's PC is insecure, can we trust "has control of an email address" either? Unless they're disciplined enough to have a separate device for their mail.

to post comments

Insecure dev machines.

Posted Oct 22, 2024 14:57 UTC (Tue) by mricon (subscriber, #59252) [Link]

Yes, this is kind of the key part here. If we cannot trust the developer workstation, we cannot trust any actions performed on that workstation, so sigstore's short-lived certificates don't solve this problem. They solve *other* problems, such as having a trusted public ledger and getting a proof that, at the time of the signature, the person still had credentials for that particular account and that account was active. However, if the workstation of the developer issuing sigstore certificates cannot be trusted, the signature cannot be trusted either.

Insecure dev machines.

Posted Oct 22, 2024 17:21 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

The idea is that the build process will happen on the Github's infrastructure, and the signature only verifies the provenance.

Insecure dev machines.

Posted Oct 22, 2024 19:43 UTC (Tue) by LtWorf (subscriber, #124958) [Link] (2 responses)

But a compromised machine has a nice ~/.ssh directory that allows to upload whatever on github

Insecure dev machines.

Posted Oct 22, 2024 20:44 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

It's way better than Jia Tan silently replacing your binaries just after the linking step, but before signing them with your PGP key.

Builds on GitHub instead of compromised developer machine

Posted Oct 23, 2024 8:13 UTC (Wed) by farnz (subscriber, #17727) [Link]

On the assumption that you trust GitHub, this guarantees you that the source visible on GitHub is the corresponding source for the binary built on GitHub. With a developer doing the signing, I can build a binary that does not correspond to the given source, sign it, and upload it.

Reproducible builds would, of course, be better.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds