From: "Marvin Häuser" <mhaeuser@posteo.de>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
devel@edk2.groups.io, Pedro Falcato <pedro.falcato@gmail.com>
Subject: Re: [edk2-devel] Question about EDK2 and commit signing
Date: Tue, 14 Sep 2021 20:18:49 +0000 [thread overview]
Message-ID: <5d2bce3d-7de3-dacb-8fd5-cc4f60abb394@posteo.de> (raw)
In-Reply-To: <a5e61ba06e080affe9e06b94ad5b3b85d28fb4b9.camel@HansenPartnership.com>
On 14/09/2021 20:02, James Bottomley wrote:
> On Mon, 2021-09-13 at 19:31 +0000, Marvin Häuser wrote:
>> Hey Pedro,
>>
>> Same point as before really, why would an attacker have access to
>> your SSH key but not your GPG key? This scenario leaves out the
>> possibly of an HTTPS over SSH attack, in which case as a security-
>> aware person you use 2FA of course ( :) ), which means this is not
>> possible without creating a personal access token. There is very
>> little reason to do this at all - I never did this before, and I
>> don't know anyone who does this with their private or work GitHub
>> account (I think a few use it for CI?), at least that I know of. And
>> even if you need one, and you give it push rights to actually push
>> with, and you require GPG signatures globally, you again are keeping
>> those two factors at least close together, if not in the same spot.
> I think the scenario in question was someone hacking into github. They
> can bypass your ssh login requirement without needing your key, because
> that's enforced by github but they can't sign your commit unless they
> compromise your laptop or token. There are many ways of hacking a
> cloud service besides simply trying to fake the login or extract the
> token from the user.
For the green "verified" tick it'd be sufficient to just enrol a new GPG
key. There'd need to be some manual verification that it's always the
same GPG key, which would require some trusted channel of transmission
and updating it in case it is lost. To get literally anything out of
this, a significant extra effort is required.
Best regards,
Marvin
>
> The way we get around this in Linux is with signed tags, but github
> doesn't support that workflow.
>
> I still really don't think signed commits adds much, even to github,
> because to be informationally useful, all commits have to be signed.
> Plus, anyway, if the entire site is compromised there'll be bigger
> problems than checking commit signatures ...
>
> James
>
>
prev parent reply other threads:[~2021-09-14 20:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-11 18:25 Question about EDK2 and commit signing Pedro Falcato
2021-09-11 21:48 ` [edk2-devel] " James Bottomley
2021-09-12 9:53 ` Marvin Häuser
2021-09-13 16:50 ` Pedro Falcato
2021-09-13 19:31 ` Marvin Häuser
2021-09-14 18:02 ` James Bottomley
2021-09-14 20:18 ` Marvin Häuser [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5d2bce3d-7de3-dacb-8fd5-cc4f60abb394@posteo.de \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox