Skip to content

Commit

Permalink
[Docs] Describe verifying signatures
Browse files Browse the repository at this point in the history
Signed-off-by: Wojtek Porczyk <[email protected]>
  • Loading branch information
woju committed May 7, 2024
1 parent 81d67ad commit 24651ad
Show file tree
Hide file tree
Showing 6 changed files with 305 additions and 0 deletions.
1 change: 1 addition & 0 deletions Documentation/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,7 @@ Indices and tables

devel/features
management-team
verify-sig
gramine-users
sgx-intro
glossary
3 changes: 3 additions & 0 deletions Documentation/installation.rst
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ option on a dedicated page.
Install Gramine packages
------------------------

For instructions how to verify cryptographic signatures, please see
:ref:`verifying-cryptographic-signatures`.

Debian 12
^^^^^^^^^

Expand Down
262 changes: 262 additions & 0 deletions Documentation/verify-sig.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,262 @@
.. highlight:: none

.. _verifying-cryptographic-signatures:

Verifying cryptographic signatures
==================================

Verifying packages
------------------

APT repositories (for Debian and Ubuntu) are signed with the following GPG key::

pub ed25519 2021-02-17 [SC]
EA3C2D624681AC968521587A5EE1171912234070
uid Gramine Project signing key (2021)
uid Graphene Library OS signing key (2021)

RPM packages (for RHEL derivatives) are signed with the following key::

pub rsa4096 2021-10-29 [SC]
F3FFBE5FC0477DB46E4851E737B04F03659B87AF
uid Gramine Project signing key, RPM (2021)

Verification of the signatures for the packages happens automatically during
repository metadata update or package installation process, and skipping this
verification needs to be done intentionally. :ref:`Package installation
instructions <install-gramine-packages>` describe downloading those keys and
copying them to system's directory, but if you want to trust the key long-term,
you should download this key only once, verify it and keep local, trusted copy
yourself (for example by checking in the file into version control system). For
each reinstall, you should then copy the key from your local store (for example,
in ``Dockerfile`` you should ``COPY`` it, not ``RUN wget -O ...``).

Verifying releases (git tags) and commits
-----------------------------------------

Releases of Gramine are marked with `signed tags
<https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work>`__ by Wojtek
Porczyk::

pub ed25519 2024-02-22 [SC]
9C4D27D9157EF771A4283926044D9664E7A77E16
uid Wojciech Porczyk (Gramine code signing key) <[email protected]>

(woju's first name is „Wojciech” /ˈvɔj.t͡ɕɛx/; „Wojtek” /ˈvɔj.tɛk/ is a |~|
pronounceable diminutive).

The key is available in ``keys/`` subdirectory of the main project's tree.

To verify a |~| tag, you need to import this key into your local trust store:

.. code-block:: sh
git clone https://github.com/gramineproject/gramine.git
gpg --import gramine/keys/woju.asc
Then check the key fingerprint. If you're sure the key is correct, you need to
mark it as trusted.

Trusting the key directly
^^^^^^^^^^^^^^^^^^^^^^^^^

If you don't have you own PGP key pair, you can mark the key as ultimately
trusted::

% gpg --edit-key 9C4D27D9157EF771A4283926044D9664E7A77E16
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub ed25519/044D9664E7A77E16
created: 2024-02-22 expires: never usage: SC
trust: full validity: unknown
[ unknown] (1). Wojciech Porczyk (Gramine code signing key) <[email protected]>

gpg> trust
pub ed25519/044D9664E7A77E16
created: 2024-02-22 expires: never usage: SC
trust: full validity: unknown
[ unknown] (1). Wojciech Porczyk (Gramine code signing key) <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub ed25519/044D9664E7A77E16
created: 2024-02-22 expires: never usage: SC
trust: ultimate validity: unknown
[ unknown] (1). Wojciech Porczyk (Gramine code signing key) <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> save
Key not changed so no update needed.

Note it needs to be ``5 = I trust ultimately``, not even ``4 = I trust fully``.
The description of the difference between those options is beyond the scope of
this document.

.. "beyond the scope" in this context is a politically-correct understatement
Trusting the key using local private key
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If you happen to have your own PGP key pair, you can choose to sign the key with
local signature. This is the procedure supported by GPG tool, because it fits
“web of trust” model::

% gpg --edit-key 9C4D27D9157EF771A4283926044D9664E7A77E16
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub ed25519/044D9664E7A77E16
created: 2024-02-22 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Wojciech Porczyk (Gramine code signing key) <[email protected]>
gpg> ltnrsign
pub ed25519/044D9664E7A77E16
created: 2024-02-22 expires: never usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 9C4D 27D9 157E F771 A428 3926 044D 9664 E7A7 7E16
Wojciech Porczyk (Gramine code signing key) <[email protected]>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I trust marginally
2 = I trust fully
Your selection? 2
Please enter the depth of this trust signature.
A depth greater than 1 allows the key you are signing to make
trust signatures on your behalf.
Your selection? 1
Please enter a domain to restrict this signature, or enter for none.
Your selection?
Are you sure that you want to sign this key with your
key "TEST DO NOT USE" (0000000000000000)
The signature will be marked as non-exportable.
The signature will be marked as non-revocable.
Really sign? (y/N) y
gpg> save
% gpg -k 9C4D27D9157EF771A4283926044D9664E7A77E16
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u
pub ed25519 2024-02-22 [SC]
9C4D27D9157EF771A4283926044D9664E7A77E16
uid [ full ] Wojciech Porczyk (Gramine code signing key) <[email protected]>

.. no, I don't have "0000000000000000" key
If you know what you're doing, you can use another signing command in place of
``ltnrsign``.

Trusting the key directly (from scripts)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. code-block:: sh
echo 9C4D27D9157EF771A4283926044D9664E7A77E16:6: | gpg --import-ownertrust
Note this option is not very well documented.

Verifying tags
^^^^^^^^^^^^^^

Use either :command:`git tag --verify <tag>` or :command:`git verify-tag <tag>`
to verify tags::

% git tag --verify v1.6.2
object a971e30f3430b4b8079ec42f5d035ced68130bdc
type commit
tag v1.6.2
tagger Wojtek Porczyk <[email protected]> 1710237857 +0100

Gramine 1.6.2
gpg: Signature made Tue 12 Mar 2024 11:04:18 AM CET
gpg: using EDDSA key 9C4D27D9157EF771A4283926044D9664E7A77E16
gpg: Good signature from "Wojciech Porczyk (Gramine code signing key) <[email protected]>" [full]

::

% git verify-tag v1.6.2
gpg: Signature made Tue 12 Mar 2024 11:04:18 AM CET
gpg: using EDDSA key 9C4D27D9157EF771A4283926044D9664E7A77E16
gpg: Good signature from "Wojciech Porczyk (Gramine code signing key) <[email protected]>" [full]

If you fail to mark the key as trusted, you will see instead::

% git tag --verify v1.6.2
object a971e30f3430b4b8079ec42f5d035ced68130bdc
type commit
tag v1.6.2
tagger Wojtek Porczyk <[email protected]> 1710237857 +0100

Gramine 1.6.2
gpg: Signature made Tue 12 Mar 2024 11:04:18 AM CET
gpg: using EDDSA key 9C4D27D9157EF771A4283926044D9664E7A77E16
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: Good signature from "Wojciech Porczyk (Gramine code signing key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9C4D 27D9 157E F771 A428 3926 044D 9664 E7A7 7E16

Which is **NOT a successful verification**, because the key might be
different. Anyone can generate a |~| key with some first and last name, so
unless you check the fingerprint every single time, you should not trust this
verification with the warning.

Verifying commits
^^^^^^^^^^^^^^^^^

You can use ``--show-signature`` option to ``git log`` command, or ``git
verify-commit`` standalone command::

% git log v1.6.2 --show-signature
commit a971e30f3430b4b8079ec42f5d035ced68130bdc (tag: v1.6.2)
gpg: Signature made Tue 12 Mar 2024 09:34:37 AM CET
gpg: using EDDSA key 9C4D27D9157EF771A4283926044D9664E7A77E16
gpg: Good signature from "Wojciech Porczyk (Gramine code signing key) <[email protected]>" [ultimate]
Author: Wojtek Porczyk <[email protected]>
Date: Mon Mar 11 10:26:34 2024 +0100

Bump version to 1.6.2

Signed-off-by: Wojtek Porczyk <[email protected]>

[...]

::

% git verify-commit a971e30f3430b4b8079ec42f5d035ced68130bdc
gpg: Signature made Tue 12 Mar 2024 09:34:37 AM CET
gpg: using EDDSA key 9C4D27D9157EF771A4283926044D9664E7A77E16
gpg: Good signature from "Wojciech Porczyk (Gramine code signing key) <[email protected]>" [ultimate]
29 changes: 29 additions & 0 deletions keys/RPM-GPG-KEY-gramine-2021
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGF8MKYBEACiozI1ojI7kWOZbVA8tr2lqQzS7cqhqOLxo/+EoajnvYJtCzFb
JwaHczIWLm5bc5FfGWuE0HlqHK2vUi4gkRVrySFJHePnE7dIub1XBGlMTPi95vQj
Y0+jgZjW/Fyqf5Wqh1gSgGZQ/6xYdxpJdsHry7SdvTaQvx+rXbDOj34LQZgHwZet
pwHw8PhKu6RHE4fvL86M6ZWMlnjOQLYUcL2NxSeqFC2TBz2EIm3YtOe196XjuS7n
z3FFRKFsHO4S52VCez8x76e7Aa6rShLNcppIiY7mw9/MXK13t2yiQzW5R0dFYn2o
rsPboeURBc4y9x5Rn59jHFK/ENf52/3nngRe0y/6ZHsl80maX3rEJb3Bv0V4h99h
pyEdqSHIbpNtnFkwpRh9gnkfPCr1rMi32nb5QKkJtjchkSlYbI5wZOCPVwM3SFO2
vaC+pcD+y9lnlNmYlnK+CB2a4NDAasjhH6rxVPH4T/cpNyoQcFyHJXHpnwjrU6Z2
q8DKB0Ot7k0fTeclgXOlgi/JVVWUxzQlExhF1pCM7EBhaXEd+XykTAdrV4Fye3qV
hX4vJS28+zZC2cJ+7m20t/aPgDh0m4eVTvwnUHIlv7w8fWoGB2YPlj1qsjM1YVr6
ZhqEKIWaRzPx4W4gUT0hCh94pPFfzYGxWKpxysfeXRLJLmMPEFC1braS8QARAQAB
tCdHcmFtaW5lIFByb2plY3Qgc2lnbmluZyBrZXksIFJQTSAoMjAyMSmJAk4EEwEK
ADgWIQTz/75fwEd9tG5IUec3sE8DZZuHrwUCYXwwpgIbAwULCQgHAgYVCgkICwIE
FgIDAQIeAQIXgAAKCRA3sE8DZZuHr2+9D/9dUXjNiF56E/h6tZ3EA/GQ3qoL0yTf
kflBaj6jrjLqGugfU3G6GU8YmTe0k5mU15Tfz1Cy0M44XfL1ZGxgyh6VkFC1BZya
hSEeA1F6q/kMzfh+QgKJPSCzv+08UrLeQzDhGOxjHCeuw09ZuXYA+CQxxAvAhmmn
7gjIShtT2agZgWWR1t1z2dxOlLd9c1BKoZWBiBWdNqe7/SeNR9hWerBXmImwGRns
GUCPmjf8UCEf3qnu3z9tDEhtNBVQZfoYngEvFe3gQ33qtAT2XqJfyF6S+KiZeew3
xHxCKwutB4V+4yZfJI1vbECuq31z2ehpRt3Qtf6d+WBUyvcQQS9WCZa3Zd7jwehV
y+Hn+Rq8+p9eIVGM5IIFhrwpk5Ol6LnLAFLEqsBG8GUfqgEb2Nhbem/JXrrQDWpH
1mqKTwCaq+tyT3X2zG20x+hXZrRaa3hdsIh6itz9BSIDgTbhg849Mt7Gdl67ZYyL
E+BiY1BCScK+ho7Jhrs/dd1VvwlvUvnDEtDMEYiFwwOKxt06OvECswqgRS2I0yiI
lktL6e8tGWJ3ChA88YqIoMlxeGVJjsHujhCxf/go5uywjKU/bOa3BvK1dl4Iqrjs
oNgK/8ma+WaqqBvV5xxQMcAbG5DbBS62yTP7wIo7avC2ysnZ2bvCqPBBOFUALHpo
8Hj+IGSdNBvohA==
=YGIm
-----END PGP PUBLIC KEY BLOCK-----
Binary file added keys/gramine-2021.gpg
Binary file not shown.
10 changes: 10 additions & 0 deletions keys/woju.asc
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZddGHBYJKwYBBAHaRw8BAQdABw5QYoz7eYxTsxB3/p4ZHCUHljSlrv4Te356
5DdLoFW0SVdvamNpZWNoIFBvcmN6eWsgKEdyYW1pbmUgY29kZSBzaWduaW5nIGtl
eSkgPHdvanVAaW52aXNpYmxldGhpbmdzbGFiLmNvbT6IkAQTFggAOBYhBJxNJ9kV
fvdxpCg5JgRNlmTnp34WBQJl10YcAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJEARNlmTnp34WOo0BANYd2MskFoXouU9Xmy28gtdYCiTwwDvoTs2yqbtLGiVd
AQD1BurfwLT5MPfATJfhJig2UHDipVYk5a800hl50PTzAw==
=tp66
-----END PGP PUBLIC KEY BLOCK-----

0 comments on commit 24651ad

Please sign in to comment.