[Verifpal] New Code Signing PGP Key and Code Signing Policy Update

Nadim Kobeissi nadim at symbolic.software
Thu May 21 15:22:48 CEST 2020


Hello everyone,

After further consideration, I have decided to also sign releases. This means they’ll be compiled and distributed locally instead of from the CI/CD server. The changes necessary for this have been made and will take effect with the next Verifpal update, where you should expect an additional `.sig` file alongside the Git repository release.

The only exception to this is the Snapcraft releases, which will remain unsigned, because I’ll be damned if I’m setting up that hellish Snapcraft build toolchain on my local machine.

Nadim Kobeissi
Symbolic Software • https://symbolic.software

> On 21 May 2020, at 10:18 AM, Nadim Kobeissi <nadim at symbolic.software> wrote:
> 
> Here is a signed copy of the previous email. Should’ve done this with the original!
> 
> ----
> 
> Hello everyone,
> 
> As Verifpal matures, I have been gradually ratcheting up the code assurance practices of Verifpal software. As of yesterday, there is a new PGP key being used to sign Verifpal source code repository commits:
> 
> pub   ed25519 2020-05-20 [SC] [expires: 2025-05-19]
>      312DBB2BC13D5890E590E88FBA1E9B7A69D40495
> sub   ed25519 2020-05-20 [A] [expires: 2025-05-19]
> sub   cv25519 2020-05-20 [E] [expires: 2025-05-19]
> 
> The full PGP key is included at the end of this email.
> 
> The difference between this code signing key and the previous key is that the new key was generated on and functions entirely off of a HSM.
> 
> What you should expect to be signed:
>    - Any and all git commits to the Verifpal repository (and related repositories) made by me.
>    - Git tags.
> 
> What you should not expect to be signed:
>    - Git release binaries of Verifpal. [0]
>    - Automated commits by the CI/CD server with the sole purpose of updating Homebrew and Scoop manifests. They always look exactly like this [1] [2].
> 
> We aren't signing git tags and release binaries because releases are compiled and pushed on GitLab, Homebrew, Scoop and Snapcraft via our CI/CD server, which is remote and does not have physical access to the HSM. While it is regrettable that direct signing on releases is not possible, this is to an extent mitigated by Go's native support for reproducible builds, which I hope is further bolstered by the recent addition of the -trimpath Go build parameter [3]. By producing your own builds of Verifpal from code-signed source code commits and matching them up with the released binaries, you can obtain a level of assurance over the integrity of the release binaries.
> 
> References:
> [0] https://source.symbolic.software/verifpal/verifpal/-/releases
> [1] https://source.symbolic.software/verifpal/verifpal/-/commit/5af47cd6488e0480eedef84207a847013f19f0d6
> [2] https://source.symbolic.software/verifpal/verifpal/-/commit/d9e702ac119ae9504181355b1c56cee419a46751
> [3] https://source.symbolic.software/verifpal/verifpal/-/commit/898128458f6056fedc8a5a04f555781127ea8f74
> 
> The full new PGP key:
> 
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> 
> mDMEXsTfDBYJKwYBBAHaRw8BAQdAYmn6SPuvCoVDYSE3hs7JThbC6JvRgdokiyO3
> 7AxadkO0IE5hZGltIEtvYmVpc3NpIDxuYWRpbUBjdXJlNTMuZGU+iJYEExYIAD4W
> IQQxLbsrwT1YkOWQ6I+6Hpt6adQElQUCXsTgpwIbAwUJCWYBgAULCQgHAgYVCgkI
> CwIEFgIDAQIeAQIXgAAKCRC6Hpt6adQElZpwAPkBWNq0KcwhTOynsw+soKHKAR3F
> P0ME/zJgMbw6KwI7EgD/abOrTSPnqsNSy2OPh7SNj7hkBP2uHN67uOE6Q005RgS0
> JU5hZGltIEtvYmVpc3NpIDxuYWRpbUBuYWRpbS5jb21wdXRlcj6ImQQTFggAQQIb
> AwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBDEtuyvBPViQ5ZDoj7oe
> m3pp1ASVBQJexOK5AhkBAAoJELoem3pp1ASVxnoA/i95I9WriDiQpSv0OfNNmali
> MKoAT/oWFO7TBbGegJx7AP43OhEW4tuWzwdA+thJhdEsEoRm8TLrGz4qrpY4RDka
> C4iWBBMWCAA+FiEEMS27K8E9WJDlkOiPuh6bemnUBJUFAl7E3wwCGwMFCQlmAYAF
> CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQuh6bemnUBJXgXwD/ZBhj64lly1jX
> KLGGY1CO+UJNgGCQbU+j2idqnYORL30A/11sz2Ynch+wyI/hSm+/XuGRK8QCGcny
> ZoxveBTFAa8KtChOYWRpbSBLb2JlaXNzaSA8bmFkaW1Ac3ltYm9saWMuc29mdHdh
> cmU+iJYEExYIAD4WIQQxLbsrwT1YkOWQ6I+6Hpt6adQElQUCXsTgoAIbAwUJCWYB
> gAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC6Hpt6adQEla5pAP9JcbsYqZXi
> YryY4kY/OnRFTUiRzYDGmYEfLuI2Qw/oaAEAt2xOlbZz2YH8zTbHSyDcvQji0D2b
> 30L+irhsaPbIMAS4MwRexN8MFgkrBgEEAdpHDwEBB0C07CLXn/sfQOp0GYaq0lN3
> xavi/9TZoLPjVsaDyu5TG4h+BBgWCAAmFiEEMS27K8E9WJDlkOiPuh6bemnUBJUF
> Al7E3wwCGyAFCQlmAYAACgkQuh6bemnUBJXNIQEAl6QJENgUzdQrlTUv4U97lAnC
> vo9bZqHbyUfmfkgm7HUBAOmpXf9In28/rS3FTVi5H78+y9PkYrf+ns3Y6QMQ2rwG
> uDgEXsTfDBIKKwYBBAGXVQEFAQEHQBKnNbcOdNy1TPWmLgqgEAgXoG3G9KgdauUz
> Ih/hKcofAwEIB4h+BBgWCAAmFiEEMS27K8E9WJDlkOiPuh6bemnUBJUFAl7E3wwC
> GwwFCQlmAYAACgkQuh6bemnUBJUYIAD+K00G3DZ68K6vE3xMpqdR6rG2Hf0Eyy7s
> qUke517ubZcBAL+p+mCwdyaeSp5u6YSLKcMP52RxciHbSlyeIGXrp7IF
> =wtv+
> -----END PGP PUBLIC KEY BLOCK-----
> 
> 
> Nadim Kobeissi
> Symbolic Software • https://symbolic.software
> 
>> On 21 May 2020, at 10:14 AM, Nadim Kobeissi <nadim at symbolic.software> wrote:
>> 
>> Hello everyone,
>> 
>> As Verifpal matures, I have been gradually ratcheting up the code assurance practices of Verifpal software. As of yesterday, there is a new PGP key being used to sign Verifpal source code repository commits:
>> 
>> pub   ed25519 2020-05-20 [SC] [expires: 2025-05-19]
>>      312DBB2BC13D5890E590E88FBA1E9B7A69D40495
>> sub   ed25519 2020-05-20 [A] [expires: 2025-05-19]
>> sub   cv25519 2020-05-20 [E] [expires: 2025-05-19]
>> 
>> The full PGP key is included at the end of this email.
>> 
>> The difference between this code signing key and the previous key is that the new key was generated on and functions entirely off of a HSM.
>> 
>> What you should expect to be signed:
>>    - Any and all git commits to the Verifpal repository (and related repositories) made by me.
>>    - Git tags.
>> 
>> What you should not expect to be signed:
>>    - Git release binaries of Verifpal. [0]
>>    - Automated commits by the CI/CD server with the sole purpose of updating Homebrew and Scoop manifests. They always look exactly like this [1] [2].
>> 
>> We aren't signing git tags and release binaries because releases are compiled and pushed on GitLab, Homebrew, Scoop and Snapcraft via our CI/CD server, which is remote and does not have physical access to the HSM. While it is regrettable that direct signing on releases is not possible, this is to an extent mitigated by Go's native support for reproducible builds, which I hope is further bolstered by the recent addition of the -trimpath Go build parameter [3]. By producing your own builds of Verifpal from code-signed source code commits and matching them up with the released binaries, you can obtain a level of assurance over the integrity of the release binaries.
>> 
>> References:
>> [0] https://source.symbolic.software/verifpal/verifpal/-/releases
>> [1] https://source.symbolic.software/verifpal/verifpal/-/commit/5af47cd6488e0480eedef84207a847013f19f0d6
>> [2] https://source.symbolic.software/verifpal/verifpal/-/commit/d9e702ac119ae9504181355b1c56cee419a46751
>> [3] https://source.symbolic.software/verifpal/verifpal/-/commit/898128458f6056fedc8a5a04f555781127ea8f74
>> 
>> The full new PGP key:
>> 
>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>> 
>> mDMEXsTfDBYJKwYBBAHaRw8BAQdAYmn6SPuvCoVDYSE3hs7JThbC6JvRgdokiyO3
>> 7AxadkO0IE5hZGltIEtvYmVpc3NpIDxuYWRpbUBjdXJlNTMuZGU+iJYEExYIAD4W
>> IQQxLbsrwT1YkOWQ6I+6Hpt6adQElQUCXsTgpwIbAwUJCWYBgAULCQgHAgYVCgkI
>> CwIEFgIDAQIeAQIXgAAKCRC6Hpt6adQElZpwAPkBWNq0KcwhTOynsw+soKHKAR3F
>> P0ME/zJgMbw6KwI7EgD/abOrTSPnqsNSy2OPh7SNj7hkBP2uHN67uOE6Q005RgS0
>> JU5hZGltIEtvYmVpc3NpIDxuYWRpbUBuYWRpbS5jb21wdXRlcj6ImQQTFggAQQIb
>> AwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBDEtuyvBPViQ5ZDoj7oe
>> m3pp1ASVBQJexOK5AhkBAAoJELoem3pp1ASVxnoA/i95I9WriDiQpSv0OfNNmali
>> MKoAT/oWFO7TBbGegJx7AP43OhEW4tuWzwdA+thJhdEsEoRm8TLrGz4qrpY4RDka
>> C4iWBBMWCAA+FiEEMS27K8E9WJDlkOiPuh6bemnUBJUFAl7E3wwCGwMFCQlmAYAF
>> CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQuh6bemnUBJXgXwD/ZBhj64lly1jX
>> KLGGY1CO+UJNgGCQbU+j2idqnYORL30A/11sz2Ynch+wyI/hSm+/XuGRK8QCGcny
>> ZoxveBTFAa8KtChOYWRpbSBLb2JlaXNzaSA8bmFkaW1Ac3ltYm9saWMuc29mdHdh
>> cmU+iJYEExYIAD4WIQQxLbsrwT1YkOWQ6I+6Hpt6adQElQUCXsTgoAIbAwUJCWYB
>> gAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC6Hpt6adQEla5pAP9JcbsYqZXi
>> YryY4kY/OnRFTUiRzYDGmYEfLuI2Qw/oaAEAt2xOlbZz2YH8zTbHSyDcvQji0D2b
>> 30L+irhsaPbIMAS4MwRexN8MFgkrBgEEAdpHDwEBB0C07CLXn/sfQOp0GYaq0lN3
>> xavi/9TZoLPjVsaDyu5TG4h+BBgWCAAmFiEEMS27K8E9WJDlkOiPuh6bemnUBJUF
>> Al7E3wwCGyAFCQlmAYAACgkQuh6bemnUBJXNIQEAl6QJENgUzdQrlTUv4U97lAnC
>> vo9bZqHbyUfmfkgm7HUBAOmpXf9In28/rS3FTVi5H78+y9PkYrf+ns3Y6QMQ2rwG
>> uDgEXsTfDBIKKwYBBAGXVQEFAQEHQBKnNbcOdNy1TPWmLgqgEAgXoG3G9KgdauUz
>> Ih/hKcofAwEIB4h+BBgWCAAmFiEEMS27K8E9WJDlkOiPuh6bemnUBJUFAl7E3wwC
>> GwwFCQlmAYAACgkQuh6bemnUBJUYIAD+K00G3DZ68K6vE3xMpqdR6rG2Hf0Eyy7s
>> qUke517ubZcBAL+p+mCwdyaeSp5u6YSLKcMP52RxciHbSlyeIGXrp7IF
>> =wtv+
>> -----END PGP PUBLIC KEY BLOCK-----
>> 
>> Nadim Kobeissi
>> Symbolic Software • https://symbolic.software
>> Sent from office
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.symbolic.software/pipermail/verifpal/attachments/20200521/0a2715ee/attachment.sig>


More information about the Verifpal mailing list