Please remove MacGPG from gnupg.org due to serious security concerns
Jonathan Schleifer
js-gnupg-users at webkeks.org
Wed Feb 18 11:52:52 CET 2015
Am 17.02.2015 um 14:22 schrieb Werner Koch <wk at gnupg.org>:
> I do not think that it matters whether you pull using the git or the ssh
> protocol. In both cases an active attacker can intercept the traffic
> easily. Virtually nobody checks ssh host keys and how should they do it
> given that I can't find its fingerprint easily on github. Thus you would only
> see the "host key changed" warning in case this is not the first time
> you connected to this github project (I assume they use different host
> keys per project).
I do verify the fingerprint, and they are quite easy to find actually:
https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/
First Google match for "GitHub SSH fingerprint".
> After all it is not different from downloading tarballs - only 10 to 20%
> of all downloads also download the signature file and for most projects
> there is no signature file.
Well, I guess you have to take into account that a lot of downloads are from packaging software like pkgsrc, FreeBSD ports, Gentoo portage, ArchLinux's makepkg, etc. Usually, these do download the signature and tarball once, verify it and then write a checksum to the Makefile / PKGBUILD / however it is called that is then verified. So I guess you can't easily map that to "Only x% of users check the downloaded tarball". I guess it's a lot more, it's just not all check it using the .sig.
> For gnupg.org we assume that users of the repos closely watch out for
> conflicts and verify the latest release tag. If there is a problem that
> should be reported to a mailing-list (after verification that it is
> really a conflict).
>
> git meanwhile allows to sign commits. If anyone knows a method to set a
> different key for tagging and commits, I would soon start to sign each
> commit. I use a smartcard based key for tagging but won't use that for
> regular commits.
git commit -S <keyID>
You can just create an alias for that, I for example use git ci.
--
Jonathan
More information about the Gnupg-users
mailing list