Creating a first draft of Key Management

[dkowis]

This covers the public facing parts, and provides signature verification
of people who are able to sign artifacts, and connects it to a single
key that has yet to be drafted. Right now the list is just signed with
my personal key, to demonstrate.

[os97673]

Just to verify if I've got the process correctly:

• as new Cucumber releaser I need to create key which I'm going to use to release Cucumber and send it to the Cucumber core team (through pull request).
• as member of Cucumber core team I should sign the key I receive from a new releaser.

Have I got the process correctly?
If so I think it would be nice to have some commands which describe more precisely how to sign the key.
I do understand that this kind of "how to question" but I suspect most people seldom do this thus it is important to do this right.

[os97673]

Just to verify if I've the process correctly:

• as new Cucumber releaser I need to create key which I'm going to use to release Cucumber and send it to the Cucumber core team (through pull request).
• as member of Cucumber core team I should sign the key I receive from a new releaser.

Have I got the process correctly?
If so I think it would be nice to have some commands which describe more precisely how to sign the key.
I do understand that this kind of "how to question" but I suspect most people seldom do this thus it is important to do this right.

[dkowis]

Yeah that process is correct.

When I have time this evening, hopefully, I'll update it with more specific commands, although they can be found in the GPG manual.

[ilanpillemer]

I am feeling confused about all of this. Whats the value add for adding all this complexity?
My key seems secret enough to me.

But I really don't understand all this stuff... so maybe I am just a confused clown?

[dkowis]

Well, how do I verify that you are an authorized releaser of the cucumber products? What if you just modified the page? What if you managed to man-in-the-middle someone and present a fake page that looks like you're a legitimate cucumber artifact signer guy. How can I verify that you really are on the list of people allowed to release artifacts that are cucumber?

Your key proves that you signed the release. The cucumber key signed list of keys shows that the cucumber team is made up of those keys listed, thus providing a chain of trust that is easy to modify from the cucumber team out to your individual key.

The cucumber key's public component is shared in places that aren't owned by us, as well as places owned by us. It's a known constant that won't change that often. Thus can be reasonably well trusted. The keys from developers may change as developers cycle in and out. Rather than replace the cucumber key every time someone leaves or joins the team, we let you use your own key, but we provide a verify-able list that anyone can verify against the cucumber key, and know that the key used by a particular developer is an authorized releaser of the key, and they can trust that the artifact is a Real Genuine Cucumber Artifact (tm). Not just one that someone compiled, and added malware to, when sonatype got hacked recently, or when rubygems got compromised, or node's package manager got compromised.

The complexity is only every now and then, when a new developer is added to the people who can make releases. And then it just boils down to: 1. Make a key. 2. have someone with the cucumber secret key update the list. 3. start releasing things.

For your normal release, you'll sign your artifacts with your key, and that's all you have to do. Establishing the chain of trust is what this is about.

I typed lots of words, did it help clear things up, or have I made it more confusing?

[mattwynne]

On 13 Feb 2013, at 20:56, David Kowis notifications@github.com wrote:

I typed lots of words, did it help clear things up, or have I made it more confusing?

My personal take-away from that was that you know what you're doing, and I trust you to do this right.

Just let me know what I need to do. My experience level with this GPG stuff is novice at best.

[dkowis]

Does this explain sufficiently what one would need to do? Or perhaps does everyone think it's too complex for the amount of risk we have? Security is a trade-off for risk vs reward. If the risk is high, we should have lots of security, if the risk is low, we don't need as much. What do you guys think? If this is too complicated, we can continue operating as we have been :)

[os97673]

I think one thing is clear: we must sign the gem to help users avoid problem with malicious gem they could get from hacked rubygems :(
I'd suggest to try this approach since it looks reasonable, and if we find that it is too complicated in real-life we will simplify it.

[mattwynne]

Can we start signing the production gems like Cucumber-Ruby and Cucumber-Rails now? What would we need to do to make that happen?

[os97673]

@mattwynne I think we need master key for the gem we are going to sign and after that follow the instructions from this PR.

[dkowis]

There would need to be the project key used to sign the page of key fingerprints that are our keys. And that key page would need to be on cukes.info so people can go verify if they want. And then anyone whose fingerprint is on that page, can sign the artifact.