Apache OpenOffice (AOO) Bugzilla – Issue 125210
Web-of-Trust problems with KEYS files
Last modified: 2016-09-24 17:32:47 UTC
Created attachment 83645 [details] Typical PGP verification message when using the KEYS file provided. For the verification of downloads, the KEYS file that is linked for PGP verification are not kept current and only Herbert's is more than self-signed. KEYS files are not automatically updated from key servers, although the ones at <https://people.apache.org/keys/committer/> are routinely updated from PGP key servers. The first attachment indicates what an user of a PGP utility will see when verifying the AOO 4.0.1 full en-US download PGP key. The second attachment is the list of public key User-ID and co-signings that are found in the KEYS file for jsc@apache.org. The third attachment indicates the additional counter-signing that is obtained with the key certificate at <https://people.apache.org/keys/committer/jsc.asc>. Note that this lists User-IDs for only those other public keys that an user has obtained, and in this case trust is not elevated. The Warning message in the first attachment still occurs. Suggestions: 1. It might be better to have KEYS refer to the release-manager/signer key at <https://people.apache.org/keys/committer/>. This will have all counter-signatures of the key that are available on public key servers. It will also reflect any revocation, were that to happen. 2. Although retrieving a key from <https://people.apache.org/keys/committer/> is additional "proof" that the signer is the committer having control of an Apache Committer account, there is an additional step that will strengthen that claim. If committer public keys are submitted to the PGP Global Directory service, that service will carry out an e-mail confirmation and countersign those User-ID entries for which the email is confirmed. Retrieving the key from the PGP Global Directory and posting it to a public key server will then percolate that further counter-signing to the Apache list of committer keys. The advantage of this is that if a PGP user gives the PGP Global Directory service an intermediate trust level, this will strengthen the reliance available to someone who does not know and have trusted keys of other cosigners of the Apache committer's public key.
Created attachment 83646 [details] jsc@apache.org PGP key from KEYS This display from the KEYS download reveals that the copy of the key provided is only self-signed, with no confirming counter-signings that assert it is by someone who has control over the jsc@apache.org account. An user can use <https://people.apache.org/keys/committer/jsc.asc> to verify the fingerprint or, better yet, install that key so that the one obtained in KEYS is updated in their PGP software.
Created attachment 83647 [details] jsc@apache.org KEY from the Committer list When the key is updated from <https://people.apache.org/keys/committer/jsc.asc>, the current status of counter-signings (so-called certifications) is provided. Notice that counter-signings by other keys in the KEYS file are indicated, and there are numerous others. Only the ones for which the user had downloaded the keys are named. In the illustrative case, none of the counter-signatures establish additional trust for the user performing this check. (The particular dennis.hamilton@acm.org key has since been revoked, for example.)
I have updated the KEY file on ...dist/openoffice/KEYS for now, better is to enhance the documentation how to verify. Volunteers are welcome