[jitsi-users] Trust issue

Emil Ivov wrote:

We are not currently signing packages

Jitsi isn't just some wallpaper or fontset or game. It's a tool people rely on for secure communication. I want to use it, but I can't, because I can't find any evidence that the developers are willing to take responsibility for even the stable builds on jitsi.org. Since I use Debian stable, I have to wait until 2015 to use Jitsi, since that's when I'll get signatures for it.

Signing will take just a few seconds of your time. There's no reason not to do it.

gpg --export -a yourname
gpg -sba jitsi_2.2.4603.9615-1_i386.deb

If you don't want to sign all your different builds individually, then
sha256sum jitsi* > SHA256SUMS
gpg -sba SHA256SUMS

Yes, we still can't verify that the key is really yours. But signing your builds forces any attack to be far more prominent and risky. Please sign. Those of us who need this precaution will appreciate it.

Emil Ivov wrote:

We are not currently signing packages

Jitsi isn't just some wallpaper or fontset or game. It's a tool
people rely on for secure communication. I want to use it, but I
can't, because I can't find any evidence that the developers are
willing to take responsibility for even the stable builds on
jitsi.org. Since I use Debian stable, I have to wait until 2015 to
use Jitsi, since that's when I'll get signatures for it.

Signing will take just a few seconds of your time. There's no reason
not to do it.

Understanding that implementing this is NOT a matter of a few seconds is the first step toward reaching a compromise :). We need to put the signing into the build process, test and make sure it works properly. Upload the key to an https location, have a script for that, making sure that it works properly. Yes, it's all trivial and it's still a matter of a few hours :).

This doesn't mean it's not going to happen, it just means that it has to go down our priority list and find a place somewhere.

gpg --export -a yourname gpg -sba jitsi_2.2.4603.9615-1_i386.deb

If you don't want to sign all your different builds individually,
then sha256sum jitsi* > SHA256SUMS gpg -sba SHA256SUMS

OK, this is helpful. Thanks.

Could you please open an issue so that we could all keep track of it?

Yes, we still can't verify that the key is really yours. But signing
your builds forces any attack to be far more prominent and risky.
Please sign. Those of us who need this precaution will appreciate
it.

There you go. One only needs to ask politely

Cheers,
Emil

That does not seem to be true. If one intends to add the Jitsi Debian
package repository to sources.list then one can alternatively consider
to configure apt to use the unstable versions of Jitsi (and only Jitsi)
from the Debian repositories.

(I tend to be more and more convinced that Debian unstable generally is
more secure than stable but that is another discussion

Cheers,
Andreas

Emil Ivov wrote:

Understanding that implementing this is NOT a matter of a few seconds is
the first step toward reaching a compromise :). We need to put the
signing into the build process, test and make sure it works properly
Upload the key to an https location, have a script for that, making sure
that it works properly. Yes, it's all trivial and it's still a matter of
a few hours :).

Ok, can you just do
sha256sum jitsi_2.2.4603.9615-1_i386.deb
and include the output in your reply to the mailing list? Or do
sha256sum jitsi* > SHA256SUMS
and include the contents of SHA256SUMS in your reply.
That will provide effective assurance of package integrity for now, since an attacker trying to selectively forge your mailing list message would run a high risk of detection.

Hello all,

We have added signing the deb packages into the build process. Expect the signatures to appear here: https://download.jitsi.org/jitsi/nightly/debian/signatures/

Thanks,
Pavel Tankov