From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) by mx.groups.io with SMTP id smtpd.web08.2.1631650735923765444 for ; Tue, 14 Sep 2021 13:18:56 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@posteo.de header.s=2017 header.b=IPUZmOC3; spf=pass (domain: posteo.de, ip: 185.67.36.66, mailfrom: mhaeuser@posteo.de) Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id 5C7FF240104 for ; Tue, 14 Sep 2021 22:18:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1631650733; bh=4Kp0idrIhCpCwnQZw5vuSdmSYAcEusrCb8q4xJxbXPM=; h=Subject:To:From:Date:From; b=IPUZmOC3yyw92ScQt0nkCrH2eF3KyZfJ8l7oYbmnHMutD6tbeQ4bxBizeIZCvTeCW off4L/p9CtsIocJ+Qv7KP5qU3XXi/pMTou8kXRwLIlalFR9akS/DMAEIl8LmhBGfHz L0yC6a6HNg5yhjQfsg+qc7VAGf030E8ho/52iZdU7mF9Yc4Q/v2N1YVTC4gzeSTA+n /laUf7uzIW57baeVA6+Jb1CO6gr95rS46fzd4vQNbNgsnfkQpDx8purxy+dAnzpc/r 1c2Vk/KLT5yzHI5ZK6At1eSMRJNq8deQBg6IB7tEqywkvPjsJGIQJKKE0Ds2liSak0 cYggtU+kZBg6g== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4H8F6d3Lbbz9rxH; Tue, 14 Sep 2021 22:18:49 +0200 (CEST) Subject: Re: [edk2-devel] Question about EDK2 and commit signing To: James Bottomley , devel@edk2.groups.io, Pedro Falcato References: <7752ca61-c66a-2667-7c3d-ab2eb10105b7@posteo.de> From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= Message-ID: <5d2bce3d-7de3-dacb-8fd5-cc4f60abb394@posteo.de> Date: Tue, 14 Sep 2021 20:18:49 +0000 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 14/09/2021 20:02, James Bottomley wrote: > On Mon, 2021-09-13 at 19:31 +0000, Marvin H=C3=A4user wrote: >> Hey Pedro, >> >> Same point as before really, why would an attacker have access to >> your SSH key but not your GPG key? This scenario leaves out the >> possibly of an HTTPS over SSH attack, in which case as a security- >> aware person you use 2FA of course ( :) ), which means this is not >> possible without creating a personal access token. There is very >> little reason to do this at all - I never did this before, and I >> don't know anyone who does this with their private or work GitHub >> account (I think a few use it for CI?), at least that I know of. And >> even if you need one, and you give it push rights to actually push >> with, and you require GPG signatures globally, you again are keeping >> those two factors at least close together, if not in the same spot. > I think the scenario in question was someone hacking into github. They > can bypass your ssh login requirement without needing your key, because > that's enforced by github but they can't sign your commit unless they > compromise your laptop or token. There are many ways of hacking a > cloud service besides simply trying to fake the login or extract the > token from the user. For the green "verified" tick it'd be sufficient to just enrol a new GPG=20 key. There'd need to be some manual verification that it's always the=20 same GPG key, which would require some trusted channel of transmission=20 and updating it in case it is lost. To get literally anything out of=20 this, a significant extra effort is required. Best regards, Marvin > > The way we get around this in Linux is with signed tags, but github > doesn't support that workflow. > > I still really don't think signed commits adds much, even to github, > because to be informationally useful, all commits have to be signed. > Plus, anyway, if the entire site is compromised there'll be bigger > problems than checking commit signatures ... > > James > >