Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-action: give some feedback whether the submission was correctly signed #32

Merged
merged 1 commit into from
Aug 5, 2022
Merged

gh-action: give some feedback whether the submission was correctly signed #32

merged 1 commit into from
Aug 5, 2022

Conversation

umlaeute
Copy link
Contributor

@umlaeute umlaeute commented Aug 5, 2022

try resolving the Debian username (from their @debian.org email in the PGP data), and add a comment telling them to stay tuned (and printing out their Debian username)

@umlaeute umlaeute merged commit 1b4fec2 into Debian:master Aug 5, 2022
@umlaeute umlaeute deleted the feature/positive-feedback branch August 5, 2022 14:14
@umlaeute
Copy link
Contributor Author

umlaeute commented Nov 5, 2024
edited
Loading

@charles-plessy asked in #65 (comment) how this actually works.
in order to not spam the issue, i'm adding the explanation here.

the goal is to check whether a new applicant has correctly signed their submission with their Debian GPG key.

  1. the user is required to submit some text that is signed with their GPG-key in the "Join" form.
  2. the bot then extracts this signed text into a file, e.g.: 
    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please add me (Debian user ([email protected]} to this organization
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdFzjfLGn8URFmteMDXuYJgEtROQUCZyi5ZAAKCRADXuYJgEtR
OU0wAQCy4w8RO/mjqqwKbN0NB8NOUmaEQy64TUp5G3ZKdTD7lQEAh2OQa4wgCTdo
3UYP0pAed7IcO/4N/8z40Q5KbO3J7A0=
=LuKx
-----END PGP SIGNATURE-----
  3. we do a test-verification of the above file, with gpg --verify file.txt
  4. typically, this will yield an error: 
    $ gpg --verify --status-fd 1 file.txt
[GNUPG:] NEWSIG
gpg: Signature made Mon Nov  4 13:09:08 2024 CET
gpg:                using EDDSA key DD1738DF2C69FC511166B5E3035EE609804B5139
[GNUPG:] ERRSIG 035EE609804B5139 22 10 01 1730722148 9 DD1738DF2C69FC511166B5E3035EE609804B5139
[GNUPG:] NO_PUBKEY 035EE609804B5139
gpg: Can't check signature: No public key
  5. from the error message (the line containing ERRSIG), we extract the keyID (here DD1738DF2C69FC511166B5E3035EE609804B5139)
    • in theory it could also be successful, in which case we extract the key from the success message (a line containing VALIDSIG)
  6. now that we have the (long) keyID, we fetch the public key from the debian key server: 
    gpg --keyserver keyring.debian.org --recv-keys "$key"
    • this will only succeed, if the user actually has their key on the Debian keyserver (and therefore they are a DD)
  7. now that we have imported the public key, we try verifying again 
    $ gpg --verify file.txt
gpg: Signature made Mon Nov  4 13:09:08 2024 CET
gpg:                using EDDSA key DD1738DF2C69FC511166B5E3035EE609804B5139
gpg: Good signature from "Jonathan Wiltshire <[email protected]>" [unknown]
gpg:                 aka "Jonathan Wiltshire <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CA61 9D65 A72A 7BAD FC96  D280 1964 18AA EB74 C8A1
     Subkey fingerprint: DD17 38DF 2C69 FC51 1166  B5E3 035E E609 804B 5139
  8. if this succeeds, we have successfully verified that the user is indeed an active Debian Developer

in case of success, we add a nice comment to the issue, that everything went well. for extra nicety, we also get the Debian username by checking for an email-address within the key, that has debian.org in the domain.
if this fails, the bot closes the issue with the error message "unable to verify".

In practice we use a throw-away local keyring by adding --homedir mygpg to the gpg invocation (and making sure that this directory is empty and has the correct permissions (rm -rf mygpg; mkdir -v -m 0700 mygpg

¹ and i just discovered (and fixed in ccd3e1d) that there is a typo in my script, which will actually remove the wrong directory:

.github/.github/workflows/join.yml

Lines 22 to 23 in 39e8250

rm -rf mypgp
mkdir -v -m 0700 mygpg

@umlaeute umlaeute mentioned this pull request Nov 5, 2024
Closed
@umlaeute
Copy link
Contributor Author

umlaeute commented Nov 5, 2024
edited
Loading

so to conclude:

  • while the join-template tells the user to put their @debian.org email address into the signed body (thus exposing their Debian username), they really can put there whatever they want (e.g. a echo | gpg --clear-sign would do just as well)
  • the only thing that is important is that
    • the body is signed with a key that is found on keyserver.debian.org
    • the pasted text is a valid pgp-signed message

the entire trust is in keyserver.debian.org (well, to the best of my knowledge; i'm not really a security expert)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@umlaeute