From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130]) by mx.groups.io with SMTP id smtpd.web12.1377.1631642562601238127 for ; Tue, 14 Sep 2021 11:02:42 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@hansenpartnership.com header.s=20151216 header.b=UhDG/fPs; spf=pass (domain: hansenpartnership.com, ip: 96.44.175.130, mailfrom: james.bottomley@hansenpartnership.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1631642562; bh=akz/0NnqL5ZzgMZhpDSvcGG8nzmY843KEr09cPy8FDg=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=UhDG/fPsoda/Mx3/bUD9iiKxhkIzNpeA7ObF2HgjoPFblst/qoFvfXaMwaAw9X24H 7P3QwKTw8LBTqOWRKGDDZ2wHy4b+f+Jvc0XwQ8FkaA92KlorqNCNXXGIJkIvmmAv4n 6QBY2v0vXzwkN1fRvDZlI2vAcl8CDYR/E7roogcY= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 1907C1280946; Tue, 14 Sep 2021 11:02:42 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cq_jNrt7wgUY; Tue, 14 Sep 2021 11:02:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1631642561; bh=akz/0NnqL5ZzgMZhpDSvcGG8nzmY843KEr09cPy8FDg=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=KbDPDqQqpHpVvGjpDS/Rzk27Y5I5kaURCNgS6DClxmq7msXZMwQOoMMLx3rHB0zmd YVc7nqBlK8y0jbPpyjGrpv4Jf7FbxYj3paFchV7SkBi6Gkrkmunj+vgHfvMREXc02r /Vky98/N6vF+5A6OH8qMxYG/vTHR3UtF3ku6vtl8= Received: from jarvis.int.hansenpartnership.com (unknown [IPv6:2601:600:8280:66d1::527]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id B96131280938; Tue, 14 Sep 2021 11:02:41 -0700 (PDT) Message-ID: Subject: Re: [edk2-devel] Question about EDK2 and commit signing From: "James Bottomley" To: devel@edk2.groups.io, mhaeuser@posteo.de, Pedro Falcato Date: Tue, 14 Sep 2021 11:02:40 -0700 In-Reply-To: References: <7752ca61-c66a-2667-7c3d-ab2eb10105b7@posteo.de> User-Agent: Evolution 3.34.4 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2021-09-13 at 19:31 +0000, Marvin H=C3=A4user wrote: > Hey Pedro, >=20 > Same point as before really, why would an attacker have access to > your SSH key but not your GPG key? This scenario leaves out the > possibly of an HTTPS over SSH attack, in which case as a security- > aware person you use 2FA of course ( :) ), which means this is not > possible without creating a personal access token. There is very > little reason to do this at all - I never did this before, and I > don't know anyone who does this with their private or work GitHub > account (I think a few use it for CI?), at least that I know of. And > even if you need one, and you give it push rights to actually push > with, and you require GPG signatures globally, you again are keeping > those two factors at least close together, if not in the same spot. I think the scenario in question was someone hacking into github. They can bypass your ssh login requirement without needing your key, because that's enforced by github but they can't sign your commit unless they compromise your laptop or token. There are many ways of hacking a cloud service besides simply trying to fake the login or extract the token from the user. The way we get around this in Linux is with signed tags, but github doesn't support that workflow. I still really don't think signed commits adds much, even to github, because to be informationally useful, all commits have to be signed.=20 Plus, anyway, if the entire site is compromised there'll be bigger problems than checking commit signatures ... James