How to find and verify a trust path?

Philip Jägenstedt philip at
Thu Sep 19 09:26:20 CEST 2013

On Thu, Sep 19, 2013 at 4:55 AM, Doug Barton <dougb at> wrote:
> I don't recall if anyone has mentioned yet. Tragically
> not available over https, but nowadays that isn't as much of an assurance as
> once thought, depending on your threat model of course. :)

I did mention it once:

On Mon, Sep 16, 2013 at 5:45 PM, Philip Jägenstedt <philip at> wrote:

> can help for keys in the strong set, but requires
> a lot of manual work.

Since the signature paths it finds can be verified separately, I don't
think it matters that it's not served over HTTPS.

> You can spend an enormous amount of time going further and further down the
> rabbit hole if you choose to. :)  At the end of the day the question
> becomes, "How much extra benefit does this extra work provide me, vs. the
> cost of any potential attack that not doing the work might permit?"

Right, so I was looking for an approach that requires little work for
me, while requiring a lot of work for someone else to subvert. (Of
course I've already spent a lot more time discussing the approach than
I would investigating any single key, because the topic in itself is
fun and interesting.)

>>> What is your threat model?
>> When checking the GnuPG dist sig key, the risk is some third party
>> modifying the source, i.e. that the code I'm getting is not from the
>> same origin as all the gpg binaries everyone else is using and
>> trusting with their secrets.
> Sorry, all you've done there is restate the problem. What bad things are you
> concerned will happen to you if you use this non-standard source? You may
> think that's a totally obvious question, but it's not. And see above for why
> it's probably the wrong question anyway.

I get the feeling that if I say that I don't want a third party to
insert backdoors into gnupg, git, nginx, node, or whatever other
packages I might be compiling from source, you'll tell me that the
maintainer can do that as well and I should audit the code.

At the end of the day I'm assuming that Debian, GnuPG, Git and a lot
of other packages that I and people I know have used for years have
maintainers who care about their reputation, and that the reason these
packages are popular is because they've done a good job historically.
I've certainly trusted them with my secrets, so if the trust is
misplaced I've already lost. When compiling from source, it would be
nice to verify that what I'm getting is from these same maintainers. I
realize that there's no guarantee that the maintainers of the packages
I've been trusting using are the same people I'll find when following
(multiple, independent) signature paths, but it looks much better than
no check at all, and my servers and secrets just aren't important
enough to warrant going much further.

Philip Jägenstedt

More information about the Gnupg-users mailing list