Ditching OpenPGP, a new approach to signing APT repositories

[Konstantin Ryabitsev]

On Tue, Jun 29, 2021 at 08:37:56AM +0200, Bernhard Reiter wrote:
> Am Sonntag 27 Juni 2021 18:56:15 schrieb Стефан Васильев via Gnupg-users:
> > maybe interesting for some of you.
> > https://wiki.debian.org/Teams/Apt/Spec/AptSign
> 
> This does not have references on the problems it is claiming to address.
> 
> No description of the context where it is supposed to be used
> and what part it will play in the security.

I can fill it in here a bit. Debian doesn't sign individual .deb packages, but
instead signs APT repository metadata. Traditionally, a PGP key was used for
this, with the public counterpart being distributed either via the distro
media itself (e.g. iso images), or via https-based downloads.

With this change, they are replacing PGP with ed25519, but everything else
remains pretty much the same -- the signing is done by centralized distro
infrastructure.

> Also there is no mention of how the trust relation of the public
> keys will be established.

The same as before -- they are downloaded with iso images, or retrieved from
the website via https. While there is no built-in mechanics for distributing
key revocation for ed25519 keys, this was not really a consideration before
either (even if you can publish a revocation certificate for a PGP key used
for this purpose now, very few people will know what to do with it).

> So not yet possible to evaluate the page, it looke like a 0.2 draft
> in a wiki and probably gets to the point of being an interesting proposal 
> later.

Most notably, "Ditching OpenPGP" is wildly inaccurate. OpenPGP is still used
for all other Debian maintainer operations -- it's only being replaced in one
small area where key management and trust were used in least PGP-like ways.

-K