[jitsi-users] Signed packages and Debian Repositories


#1

Hi all,

Very glad to hear that the multiple-otr-key functionality will be in the
nightlies soon, that will solve one of the biggest usage issues that my
local group of XMPP contacts have been having since we started using
Jitsi earlier in the month.

We're looking at Jitsi as the key application for instant messaging and
VoIP as part of the CryptoParty we're running in Devon in February, and
I've realised that I'm not sure how to 'trust' the XMPP binaries.

In the 'nightlies' folder, PGP signatures are being provided for each
debian package, however I can't find a link to your PGP public key
(which I would expect to find on a keyserver with an associated web of
trust) or signatures for the stable binaries, which are the ones we've
been looking at. Is there a reason why neither of these things are
provided, or am I simply looking in the wrong place?

This brings me to the line 'Note that once you install one of the Jitsi
debian packages, our debian repository would be automatically added to
your package sources so that you would be able to easily upgrade.',
which means that an unverified binary package is now installing a link
back to a repository which has not been manually trusted at any point in
the install process. Public key verification of the original install
package would solve this problem.

Grateful for any feedback!

Regards,
Gray.


#2

Hi

Hi all,

Very glad to hear that the multiple-otr-key functionality will be in the
nightlies soon, that will solve one of the biggest usage issues that my
local group of XMPP contacts have been having since we started using
Jitsi earlier in the month.

We're looking at Jitsi as the key application for instant messaging and
VoIP as part of the CryptoParty we're running in Devon in February, and
I've realised that I'm not sure how to 'trust' the XMPP binaries.

As a side note:

Jitsi is now included in Debian Testing. Do you want to get a version
into Backports?

Rebuilding those packages on your own with a different upstream version
should be rather simple. Let me know if you need any help with that.

In the 'nightlies' folder, PGP signatures are being provided for each
debian package, however I can't find a link to your PGP public key
(which I would expect to find on a keyserver with an associated web of
trust) or signatures for the stable binaries, which are the ones we've
been looking at. Is there a reason why neither of these things are
provided, or am I simply looking in the wrong place?

This brings me to the line 'Note that once you install one of the Jitsi
debian packages, our debian repository would be automatically added to
your package sources so that you would be able to easily upgrade.',
which means that an unverified binary package is now installing a link
back to a repository which has not been manually trusted at any point in
the install process. Public key verification of the original install
package would solve this problem.

Standard signatures indeed seem to be missing.

Deb packages are not signed. APT package repositories are signed.
See apt-secure(7) and
https://wiki.debian.org/HowToSetupADebianRepository .

···

On Sun, Jan 19, 2014 at 01:39:49PM +0000, Gray Marchiori-Simpson wrote:

--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
tzafrir@debian.org | | friend


#3

As a side note: Jitsi is now included in Debian Testing. Do you want
to get a version into Backports?

I'm actually using Xubuntu 13.10, so it wouldn't affect me directly.
Probably not a bad idea, as it would provide an alternative trust chain
to the one I'm having concerns with, at least for recent Debian users.

Standard signatures indeed seem to be missing.

Deb packages are not signed. APT package repositories are signed.
See apt-secure(7) and
https://wiki.debian.org/HowToSetupADebianRepository .

apt-secure states that there is checksumming of the packages against the
package list, and the package list is signed. This gives a chain of
trust once the PGP public key for that repository has been accepted on
the client (part of adding a repository.) Once the key has been trusted,
the only persons who can insert malicious code as a package update are
those adding packages to the repository.

My concern is that usually when adding a new repository, such as
manually adding a PPA, you are asked to check the PGP fingerprint. Jitsi
does not allow me to check that the package I have downloaded contains
the correct repository and key, breaking the chain of trust. Providing
pgp signatures with the binaries (as per the nightlies) would allow
users to check the validity of that first package, thereby validating
the public key included in that package, and extending trust all the way
up to the repository maintainer.

However, as I have no readily apparent public key to go with the
signatures for the nightlies, I cannot validate those packages either.

What I'm suggesting is:
- Upload the public key used to sign the nightly builds to the public
keyserver infrastructure.
- Have all the core developers sign the trusted public key to build the
web of trust.
- Sign all distributed binaries with PGP, including windows packages -
distributing the signatures as 'filename.asc' as per the nightlies.
- Link the PGP public key from somewhere obvious on the site so that
people can verify the downloaded binary before installing or using it.

There's no need for the binaries themselves to contain an embedded
digital signature unless the OS requires it. (e.g. Mac OS X.)

Regards,
Gray.

···

On 19/01/14 13:48, Tzafrir Cohen wrote: