# Gentoo Key Validation

## archrax

Hi guys,

This is a newbie question to which I have been unable to find the answer.

I have packages and snapshots that are signed correctly using the Gentoo keys. These keys are;

Gentoo Portage Snapshot Signing Key

Gentoo Linux Release Engineering (Automated Weekly Release Key)

When bringing these keys into gnupg, you get the messages;

'This key is not certified with a trusted signature!'

'There is no indication that the signature belongs to the owner.'

My question is this;

Those of you that use validation, what process/procedures do you employ to go about validating these keys?

Do you;

Personally fly out to meet the developers and sign their keys.

Rely on these keys being signed by people/entities that you already know/trust? If so, how do you go about this from a newbie perspective. (Let's say I don't know anyone at all with any connection to the Gentoo developers.)

Just take it on trust that these keys belong to who they say they belong to and leave it at that, realizing that this is the point in the whole system where you just have to assume trust.

None of the above.

I'd really appreciate your insights and opinions on this.

Thanks

----------

## NeddySeagoon

archrax,

What do you want from the gentoo signed stuff you have downloaded.

To know it has not been tampered with, or to know its really from Gentoo, or both?

That the signature is valid, shows the package has not been tampered with since it was signed.

A valid signature says nothing about the identity of the party doing the signing but does that matter?

If you are paranoid and want to guard against a compromised mirror, you can downlpad the packages and signatures from a (large) number of different mirrors and do all the cross checks. They should all be the same of course.  That guards against a compromised mirror.  

If you need to prove that packages are actually from Gentoo, you need to establish a web of trust to the keys used to do the signing.

Of course, none of this guards against a trojan planed by a dev that gets signed than onto the master mirror.

For me, getting it from a gentoo operated mirror is suffcient.

----------

## John R. Graham

What I think you're talking about is a Public Key Infrastructure (PKI). Here's an example, put into a Gentoo context.

A well established root CA (e.g., Verisign or CAcert) would assert the validity of a local Gentoo CA, which would then assert the validity of various Gentoo infrastructure keys. In a proper PKI there would also be regularly expiring CRLs so that you could get strong and timely assertions that a particular leaf key had not been compromised. Only the root CA is implicitly trusted and the root CA (in fact all compliant CAs) will or should publish a "Certificate Practices Statement" that attests to the care with which they protect their private keys and the rules that they follow in signing subordinate CA certificate requests. The CPSs are designed to give you a level of confidence in the strength of the root CA (which you must trust implicitly) and of the subordinate CAs (which you can verify by chaining up to the root).

I'm not intimately familiar with the relevant GLEPs but a quick search finds no occurrences of the terms PKI, CA, or certificate. I think that this is a matter for a future GLEP.

- John

----------

## archrax

Thanks for the replies guys.

@Neddy

Well, my main concern is that the mirror has not been tampered with. That being said, I was then thinking that if you are going to go down the gnupg route, then it would be nice to embrace the whole philosophy of it. Which means validating keys. I wanted to know what was common practise in this regard - whether I was ignorant of some kind of key validation process.

So the current scheme allays most of my fears i.e. that mirrors have not been tampered with. But actually finding the key IDs was not straightforward. I had to pull them out indirectly from a couple of different webpages (it was buried in example code snippets). It would be nice if there was a straightforward posting of Gentoo developer keys on a well signposted page so that they are easy for anyone to find. (I might have missed it. Please point it out if I have.) Also, and this is just an idea, what about posting the key IDs on mirrors as part of the mirror setup? That way, you only need to make sure a few key IDs on different mirrors are identical if you are really concerned, which surely would be easier than having to compare entire packages. If the key IDs are OK (and really, checking just your favourite mirror with, say, the definitive source which I take to be www.gentoo.org should be good enough) then you know that the gnupg verification system will take care of the rest.

@John

I hadn't considered this approach but yes, a CA would be another way of going about things as opposed to trying to find a way to build a web of trust that eventually includes the Gentoo developers.

Anyway, thanks once again.

----------

