[Verifpal] New Code Signing PGP Key and Code Signing Policy Update

Nadim Kobeissi nadim at symbolic.software
Thu May 21 10:18:46 CEST 2020


Here is a signed copy of the previous email. Should’ve done this with the original!

----

Hello everyone,

As Verifpal matures, I have been gradually ratcheting up the code assurance practices of Verifpal software. As of yesterday, there is a new PGP key being used to sign Verifpal source code repository commits:

pub   ed25519 2020-05-20 [SC] [expires: 2025-05-19]
      312DBB2BC13D5890E590E88FBA1E9B7A69D40495
sub   ed25519 2020-05-20 [A] [expires: 2025-05-19]
sub   cv25519 2020-05-20 [E] [expires: 2025-05-19]

The full PGP key is included at the end of this email.

The difference between this code signing key and the previous key is that the new key was generated on and functions entirely off of a HSM.

What you should expect to be signed:
    - Any and all git commits to the Verifpal repository (and related repositories) made by me.
    - Git tags.

What you should not expect to be signed:
    - Git release binaries of Verifpal. [0]
    - Automated commits by the CI/CD server with the sole purpose of updating Homebrew and Scoop manifests. They always look exactly like this [1] [2].

We aren't signing git tags and release binaries because releases are compiled and pushed on GitLab, Homebrew, Scoop and Snapcraft via our CI/CD server, which is remote and does not have physical access to the HSM. While it is regrettable that direct signing on releases is not possible, this is to an extent mitigated by Go's native support for reproducible builds, which I hope is further bolstered by the recent addition of the -trimpath Go build parameter [3]. By producing your own builds of Verifpal from code-signed source code commits and matching them up with the released binaries, you can obtain a level of assurance over the integrity of the release binaries.

References:
[0] https://source.symbolic.software/verifpal/verifpal/-/releases
[1] https://source.symbolic.software/verifpal/verifpal/-/commit/5af47cd6488e0480eedef84207a847013f19f0d6
[2] https://source.symbolic.software/verifpal/verifpal/-/commit/d9e702ac119ae9504181355b1c56cee419a46751
[3] https://source.symbolic.software/verifpal/verifpal/-/commit/898128458f6056fedc8a5a04f555781127ea8f74

The full new PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEXsTfDBYJKwYBBAHaRw8BAQdAYmn6SPuvCoVDYSE3hs7JThbC6JvRgdokiyO3
7AxadkO0IE5hZGltIEtvYmVpc3NpIDxuYWRpbUBjdXJlNTMuZGU+iJYEExYIAD4W
IQQxLbsrwT1YkOWQ6I+6Hpt6adQElQUCXsTgpwIbAwUJCWYBgAULCQgHAgYVCgkI
CwIEFgIDAQIeAQIXgAAKCRC6Hpt6adQElZpwAPkBWNq0KcwhTOynsw+soKHKAR3F
P0ME/zJgMbw6KwI7EgD/abOrTSPnqsNSy2OPh7SNj7hkBP2uHN67uOE6Q005RgS0
JU5hZGltIEtvYmVpc3NpIDxuYWRpbUBuYWRpbS5jb21wdXRlcj6ImQQTFggAQQIb
AwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBDEtuyvBPViQ5ZDoj7oe
m3pp1ASVBQJexOK5AhkBAAoJELoem3pp1ASVxnoA/i95I9WriDiQpSv0OfNNmali
MKoAT/oWFO7TBbGegJx7AP43OhEW4tuWzwdA+thJhdEsEoRm8TLrGz4qrpY4RDka
C4iWBBMWCAA+FiEEMS27K8E9WJDlkOiPuh6bemnUBJUFAl7E3wwCGwMFCQlmAYAF
CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQuh6bemnUBJXgXwD/ZBhj64lly1jX
KLGGY1CO+UJNgGCQbU+j2idqnYORL30A/11sz2Ynch+wyI/hSm+/XuGRK8QCGcny
ZoxveBTFAa8KtChOYWRpbSBLb2JlaXNzaSA8bmFkaW1Ac3ltYm9saWMuc29mdHdh
cmU+iJYEExYIAD4WIQQxLbsrwT1YkOWQ6I+6Hpt6adQElQUCXsTgoAIbAwUJCWYB
gAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC6Hpt6adQEla5pAP9JcbsYqZXi
YryY4kY/OnRFTUiRzYDGmYEfLuI2Qw/oaAEAt2xOlbZz2YH8zTbHSyDcvQji0D2b
30L+irhsaPbIMAS4MwRexN8MFgkrBgEEAdpHDwEBB0C07CLXn/sfQOp0GYaq0lN3
xavi/9TZoLPjVsaDyu5TG4h+BBgWCAAmFiEEMS27K8E9WJDlkOiPuh6bemnUBJUF
Al7E3wwCGyAFCQlmAYAACgkQuh6bemnUBJXNIQEAl6QJENgUzdQrlTUv4U97lAnC
vo9bZqHbyUfmfkgm7HUBAOmpXf9In28/rS3FTVi5H78+y9PkYrf+ns3Y6QMQ2rwG
uDgEXsTfDBIKKwYBBAGXVQEFAQEHQBKnNbcOdNy1TPWmLgqgEAgXoG3G9KgdauUz
Ih/hKcofAwEIB4h+BBgWCAAmFiEEMS27K8E9WJDlkOiPuh6bemnUBJUFAl7E3wwC
GwwFCQlmAYAACgkQuh6bemnUBJUYIAD+K00G3DZ68K6vE3xMpqdR6rG2Hf0Eyy7s
qUke517ubZcBAL+p+mCwdyaeSp5u6YSLKcMP52RxciHbSlyeIGXrp7IF
=wtv+
-----END PGP PUBLIC KEY BLOCK-----


Nadim Kobeissi
Symbolic Software • https://symbolic.software

> On 21 May 2020, at 10:14 AM, Nadim Kobeissi <nadim at symbolic.software> wrote:
> 
> Hello everyone,
> 
> As Verifpal matures, I have been gradually ratcheting up the code assurance practices of Verifpal software. As of yesterday, there is a new PGP key being used to sign Verifpal source code repository commits:
> 
> pub   ed25519 2020-05-20 [SC] [expires: 2025-05-19]
>       312DBB2BC13D5890E590E88FBA1E9B7A69D40495
> sub   ed25519 2020-05-20 [A] [expires: 2025-05-19]
> sub   cv25519 2020-05-20 [E] [expires: 2025-05-19]
> 
> The full PGP key is included at the end of this email.
> 
> The difference between this code signing key and the previous key is that the new key was generated on and functions entirely off of a HSM.
> 
> What you should expect to be signed:
>     - Any and all git commits to the Verifpal repository (and related repositories) made by me.
>     - Git tags.
> 
> What you should not expect to be signed:
>     - Git release binaries of Verifpal. [0]
>     - Automated commits by the CI/CD server with the sole purpose of updating Homebrew and Scoop manifests. They always look exactly like this [1] [2].
> 
> We aren't signing git tags and release binaries because releases are compiled and pushed on GitLab, Homebrew, Scoop and Snapcraft via our CI/CD server, which is remote and does not have physical access to the HSM. While it is regrettable that direct signing on releases is not possible, this is to an extent mitigated by Go's native support for reproducible builds, which I hope is further bolstered by the recent addition of the -trimpath Go build parameter [3]. By producing your own builds of Verifpal from code-signed source code commits and matching them up with the released binaries, you can obtain a level of assurance over the integrity of the release binaries.
> 
> References:
> [0] https://source.symbolic.software/verifpal/verifpal/-/releases
> [1] https://source.symbolic.software/verifpal/verifpal/-/commit/5af47cd6488e0480eedef84207a847013f19f0d6
> [2] https://source.symbolic.software/verifpal/verifpal/-/commit/d9e702ac119ae9504181355b1c56cee419a46751
> [3] https://source.symbolic.software/verifpal/verifpal/-/commit/898128458f6056fedc8a5a04f555781127ea8f74
> 
> The full new PGP key:
> 
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> 
> mDMEXsTfDBYJKwYBBAHaRw8BAQdAYmn6SPuvCoVDYSE3hs7JThbC6JvRgdokiyO3
> 7AxadkO0IE5hZGltIEtvYmVpc3NpIDxuYWRpbUBjdXJlNTMuZGU+iJYEExYIAD4W
> IQQxLbsrwT1YkOWQ6I+6Hpt6adQElQUCXsTgpwIbAwUJCWYBgAULCQgHAgYVCgkI
> CwIEFgIDAQIeAQIXgAAKCRC6Hpt6adQElZpwAPkBWNq0KcwhTOynsw+soKHKAR3F
> P0ME/zJgMbw6KwI7EgD/abOrTSPnqsNSy2OPh7SNj7hkBP2uHN67uOE6Q005RgS0
> JU5hZGltIEtvYmVpc3NpIDxuYWRpbUBuYWRpbS5jb21wdXRlcj6ImQQTFggAQQIb
> AwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBDEtuyvBPViQ5ZDoj7oe
> m3pp1ASVBQJexOK5AhkBAAoJELoem3pp1ASVxnoA/i95I9WriDiQpSv0OfNNmali
> MKoAT/oWFO7TBbGegJx7AP43OhEW4tuWzwdA+thJhdEsEoRm8TLrGz4qrpY4RDka
> C4iWBBMWCAA+FiEEMS27K8E9WJDlkOiPuh6bemnUBJUFAl7E3wwCGwMFCQlmAYAF
> CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQuh6bemnUBJXgXwD/ZBhj64lly1jX
> KLGGY1CO+UJNgGCQbU+j2idqnYORL30A/11sz2Ynch+wyI/hSm+/XuGRK8QCGcny
> ZoxveBTFAa8KtChOYWRpbSBLb2JlaXNzaSA8bmFkaW1Ac3ltYm9saWMuc29mdHdh
> cmU+iJYEExYIAD4WIQQxLbsrwT1YkOWQ6I+6Hpt6adQElQUCXsTgoAIbAwUJCWYB
> gAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC6Hpt6adQEla5pAP9JcbsYqZXi
> YryY4kY/OnRFTUiRzYDGmYEfLuI2Qw/oaAEAt2xOlbZz2YH8zTbHSyDcvQji0D2b
> 30L+irhsaPbIMAS4MwRexN8MFgkrBgEEAdpHDwEBB0C07CLXn/sfQOp0GYaq0lN3
> xavi/9TZoLPjVsaDyu5TG4h+BBgWCAAmFiEEMS27K8E9WJDlkOiPuh6bemnUBJUF
> Al7E3wwCGyAFCQlmAYAACgkQuh6bemnUBJXNIQEAl6QJENgUzdQrlTUv4U97lAnC
> vo9bZqHbyUfmfkgm7HUBAOmpXf9In28/rS3FTVi5H78+y9PkYrf+ns3Y6QMQ2rwG
> uDgEXsTfDBIKKwYBBAGXVQEFAQEHQBKnNbcOdNy1TPWmLgqgEAgXoG3G9KgdauUz
> Ih/hKcofAwEIB4h+BBgWCAAmFiEEMS27K8E9WJDlkOiPuh6bemnUBJUFAl7E3wwC
> GwwFCQlmAYAACgkQuh6bemnUBJUYIAD+K00G3DZ68K6vE3xMpqdR6rG2Hf0Eyy7s
> qUke517ubZcBAL+p+mCwdyaeSp5u6YSLKcMP52RxciHbSlyeIGXrp7IF
> =wtv+
> -----END PGP PUBLIC KEY BLOCK-----
> 
> Nadim Kobeissi
> Symbolic Software • https://symbolic.software
> Sent from office

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.symbolic.software/pipermail/verifpal/attachments/20200521/5d2a2c2e/attachment.sig>


More information about the Verifpal mailing list