Proposed solution for supporting PGP signed packages

[hellais]

After reading up on the issue discussed by @mikemcquaid @adamv @jacknagel @postmodern https://github.com/mxcl/homebrew/issues/15631, I decided to think a bit about how to add some better security to package installations done via homebrew.

I have come up with the following strategy that I am currently working on implementing. Every formula will have two extra attributes called pgp_key_fingerprint and pgp_signature_url.

When you download a formula you that has such an attribute you shall look at this value, lookup the corresponding PGP key fingerprint from the keyservers and (perhaps optionally at the beginning, but customisable to be more annoying via config file) it will inform the user that we have learned about this package being signed by this key for the first time.

The user shall then accept the key the first time (or manually verify the fingerprint out of band) and this key fingerprint will be stored inside of a local registry (the Keyring).

They keys inside the keyring are mapped one to one with the formula name.

Example:

Formula/formula1.rb
Formula/formula2.rb
Formula/formula3.rb

Keyring/formula1.json
Keyring/formula2.json
Keyring/formula3.json

Each keyring item is a JSON like data structure that looks as follows:

Keyring/formula3.json

{
    "publicKey": BASE64EncodingOfThePubKey,
    "formula":"forumula3",
    "keyFingerprint": "DEADBEEF01234567890DEADBE",
    "keyID": "DEADBEEF"
}

If a certain package has a corresponding Keyring item then the formula must have the two attributes pgp_key_fingerprint and pgp_signature_url.

We will then look at the pgp_key_fingerprint value and make sure it matches our local copy of it. If it does not match we will display a big warning telling the user that the key fingerprint has changed and that they should verify it and if they do not know what is going on they should not proceed.

The user should also be able to set a flag inside of homebrew that prevents homebrew from installing packages that do not have a pgp_signature. This flag should be disabled by default at the beginning, but I would identify a path towards making it enabled by default.

What do you think about this approach?

[hellais]

Two notes:

• This approach is usually called Trust On First Use (or TOFU) and is what is used in SSH PKI. The first time you visit a host with ssh you will place their fingerprint inside your known_hosts. Next time you access that host if the fingerprint does not match you freak out.
• The PGP key does not necessarily have to be the one of a developer, it can also be that of a group of developers or of the person doing the mac os x release.

[hellais]

Thinking a bit more about this I realised that it is insufficient to just have a signature URL inside of the definition of the Formula. We must actually sign Formulas.

This means that the system will work more or less as above described, but we will have another directory called Signatures, that will be one for each of the Formulas. The signature for the Formula shall be updated any time the formula is changed.

The author of the formula will therefore be responsible for signing every new release of it. Since the hash should have been validated by the author of the formula we can just root the trust there.

[MikeMcQuaid]

Paging @jacknagel. From my perspective this is going to require far too much user intervention and pull request overhead to work, I'm afraid.

[jacknagel]

We definitely aren't going to start requiring formula updates to be signed.

[postmodern]

I would be happy with just pgp_key_id and pgp_fingerprint_url attributes in a formula, which would be used to verify the downloaded package. Ensuring the integrity of the formula is the responsibility of homebrew, not the formula author.

[adamv]

We're not going to start signing formula in core or taps that we manage.

We would review a minimal pull request that added two empty properties to formula, for use by third party brew commands, though it would have to have copious documentation on the approach being used.