|Re: [cbi-dev] Eclipse Foundation public PGP key?|
If I understand correctly, the main motivation behind using GPG signatures rather than jarsigner is to avoid touching the jars. Is that right?
I have the feeling that you want to replicate a Chain of Trust (à la SSL/TLS) with GPG. GPG is based on a Web of Trust concept and shall not be used to replicate Chains. It does not mean that GPG should be used to sign artifacts and use this system rather than jarsigner. I just want to outline that the implications of such change are rather broad, and it's easy to miss something that would make the whole solution much less secure that what it's aiming to be.
To reply to your question, we have a "webmaster" GPG keypair and we provide to any project its own GPG keypair. We sign the project's public key we provide with the webmaster's key to initiate the web of trust. We advise committers to both sign webmaster's and project's public keys. We don't provide a single key to everyone because GPG is not meant to be used like that.
The webmaster's public key is http://keys.gnupg.net/pks/lookup?op=vindex&fingerprint=on&search=0x9FA2B7299F51E543
- How do you trust the webmaster key initially? If it becomes your effective root cacert, it needs to be trusted by the end user in some way. When you visit a website, you trust the website's certificate because you trust your OS (or the JVM) to have a non-tampered root CA list. If the root CAs are delivered by the website, it hard to trust anything. The only way to do this properly with GPG is to rely on the user's GPG keyring, hence requiring GPG to be installed on their system... And trusting a GPG key is not something to be considered lightly: it is easy to do typosquatting on public key servers. See https://www.gnupg.org/gph/en/manual/x334.html
- How do you handle time stamping? AFAIK, currently GPG does not support trusted signature timestamping. It means that you cannot trust a signature after the keys used to sign it has been revoked or has expired (while with current jarsigner signature, you can trust a signature if it has been made while the certificate was valid). This is a big issue, esp. in the case of a compromised key. See https://bI was assumugs.eclipse.org/bugs/show_bug.cgi?id=263708 for the reasoning why using TSA was requested initially.
Back to the top