Hacker News new | ask | show | jobs
by yencabulator 1249 days ago
Via signed Git tags?

  object 19cc035b6c6f2283573d29c7ea7f7d675cf750ce
  type commit
  tag openssl-3.0.7
  tagger Tomas Mraz <tomas@openssl.org> 1667335515 +0100

  OpenSSL 3.0.7 release tag
  -----BEGIN PGP SIGNATURE-----

  iQJGBAABCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhhWASHHRvbWFzQG9w
  ZW5zc2wub3JnAAoJEFJ0ZqIcp55tZRkQAJKQ35fUFQ3Wfuj4vbNQNX0Iv/c11q9o
  7Li8A8ananoYhnW9tpVTfpBCHAbE/fvwY3TMCE6IzBsRcjjef1CAqtEEDYI39aEt
  Nr00hUTVQeeH95viYMhmelq6axjkX8dGjfZBufZPJzrKrrj/eZLfmL3A1nZ9yYeF
  MCTxzpcOtaanJQ35h1Ayx3Hj1mcfTixGZR1drlJa5pDoF3y40ysxt/3ZYRD0Z/hO
  NbQ5QK/GPjnBheJaha6X7BoGgMRzXCfVSqtP/hE2Szzdq3nkZbWuDYw8EQ+Nr8Ni
  Q0BIIZLQbTYf4lmTXMbZdgUFq9/vSFNuz2IudDGiHrVfV1HZrZigHly61gqaXhjF
  Uir2LjMEgMr7D4O0udM6RnR7A1Wn3++sc8m3bGHYj+j+oSHSiKpZ0yxKbGY0TITL
  1/vJMBZe46rW2qQi8WI4fkRnyRVc+L19AHqHYeA9XHMWKFgRKgHlf+yf2ysPKsD6
  lGYCFwLJrlec/Sq4mbwe59JwtQbf4LHUQ4k+M1Cr5q04WegMH/nFjOanv8Ehs1Se
  WqJZD/1O+p8Go71g7c8kJ9QYiHkkr/xgs8BF7WMlNw7df5za6V1Ns/VCMSfQ9HF8
  SlODL7NBffQr0A9rGD/AueN2pATzv1p90/Cz5VCIWRfCHMN6EmurdGcSJkSXRbjY
  SDAGDysitYmo
  =/eQF
  -----END PGP SIGNATURE-----
1 comments
woodruffw 1249 days ago
And how, pray tell, are you downloading those signatures? Or the public keys corresponding to them, for that matter, if you don't have them locally already (and, if you do, why do you trust them given that your transport layer has been compromised?)

Besides: if you actually verify `git` signatures, you can count yourself in a club of less than a dozen people who bother. That isn't to say that you're wrong to, just that an optional signature is, to a first approximation, as useful as not signing at all.

link
yencabulator 1249 days ago
The public keys for those signatures have already been downloaded by any vendor who knows what they're doing; a new TLS forgery vulnerability won't really hurt there.

Or, let's put it this way: If you don't bother with the signatures, a TLS forgery likely isn't the easiest way to feed you a fake openssl release, hijacking an account or hacking Github et al are.

Also, Github itself verifies Git signatures, and the maintainers seem to have Github's "vigilant mode" on.

link