From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) by mx.groups.io with SMTP id smtpd.web09.1833.1631561489838359406 for ; Mon, 13 Sep 2021 12:31:30 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@posteo.de header.s=2017 header.b=F5ijP9V0; spf=pass (domain: posteo.de, ip: 185.67.36.65, mailfrom: mhaeuser@posteo.de) Received: from submission (posteo.de [89.146.220.130]) by mout01.posteo.de (Postfix) with ESMTPS id D122224002B for ; Mon, 13 Sep 2021 21:31:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1631561487; bh=Si/u2IshEx63/YFJCHBhxXbg24QyJEcpt89hoAGOp1A=; h=Subject:To:Cc:From:Date:From; b=F5ijP9V0HDGpl31DPMJiMl+9X0t2IkdPRejUCKIEy1iWqfX5XbwXelZxNauYp6LZf gjomVKbkW1q/3cZS0oLwlQ6d4c1mnoKYfJyvMHvSEUQWXsjd2jlTDGzaxW+N2SZ2IM 1SPANrHMSREVwB1MG3205myZa1EKVXMKfl86fPBZk8FymcRo/5JWQdDRrizUKyAGk+ f5IdBMsFpnZe3tPCifzeNkwr5NZNpMr63t1NpaDvqVVKJe4PX+yXv6V+b5mPHS8Yfu Vg2DPmEhwdT1YtmR7YkC5x+8CyEr++nOUGcwj/9Chs+JGpMrdyzNcCgx3+2c59PQOg sw2RlAWPNp+dA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4H7c6R2QLJz6tmH; Mon, 13 Sep 2021 21:31:27 +0200 (CEST) Subject: Re: [edk2-devel] Question about EDK2 and commit signing To: Pedro Falcato Cc: edk2-devel-groups-io References: <7752ca61-c66a-2667-7c3d-ab2eb10105b7@posteo.de> From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= Message-ID: Date: Mon, 13 Sep 2021 19:31:26 +0000 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: quoted-printable Hey Pedro, Same point as before really, why would an attacker have access to your=20 SSH key but not your GPG key? This scenario leaves out the possibly of=20 an HTTPS over SSH attack, in which case as a security-aware person you=20 use 2FA of course ( :) ), which means this is not possible without=20 creating a personal access token. There is very little reason to do this=20 at all - I never did this before, and I don't know anyone who does this=20 with their private or work GitHub account (I think a few use it for=20 CI?), at least that I know of. And even if you need one, and you give it=20 push rights to actually push with, and you require GPG signatures=20 globally, you again are keeping those two factors at least close=20 together, if not in the same spot. Best regards, Marvin On 13/09/2021 18:50, Pedro Falcato wrote: > Hi James, Marvin, > > Interesting points of view. > I still have a question though: If any part of the process got > compromised (maintainer, or in the worst case scenario, the repo > itself), is there anything that could be done > in order to assess the damage? I'd say signing could help establish > trust in a lot of those cases > > Thanks, > Pedro > > On Sun, Sep 12, 2021 at 10:53 AM Marvin H=C3=A4user = wrote: >> Hey, >> >> Just my 2 cents... >> >> Contributors: Git's stance is the author doesn't really matter as long >> as the code is acceptable. For most people, you will not know them >> anyway and it does not buy you much to know they own GitHub account XY. >> If someone is impersonating a maintainer (who would push the changes >> directly after review), that would be obvious anyway. >> >> Maintainers: Why would someone have access to your SSH key but not your >> GPG key? Especially if your commits are auto-signed, both keys are >> likely equally readable. More factors do not meaningfully increase >> security if they are not clearly separate. >> >> I'm sure nobody minds your signatures though. :) >> >> Best regards, >> Marvin >> >> On 11/09/2021 20:25, Pedro Falcato wrote: >>> Hi everyone, >>> >>> Yesterday, when pushing my first commits to edk2-platforms (as the >>> Ext4Pkg maintainer), I noticed that my commits (see 7872c98 and >>> 71f3343) stick out like a sore thumb, as I have GPG signing on my >>> commits on by default (see git config commit.gpgsign), globally across >>> all my projects. >>> >>> Is there an official stance on signed commits? I was thinking that >>> commit signing, at least for the maintainers that apply and push >>> patches, could be useful as a way to establish authenticity for every >>> commit that gets to the edk2 repos. >>> >>> Best regards, >>> >>> Pedro Falcato >>> >>> >>>=20 >>> >>> >