What is this PGP Thing, and How Can I Use it?

Slide 1

Slide 1 text

What is this PGP thing… …and how can I use it?

Slide 2

Slide 2 text

http://caleb.click/af0U

Slide 3

Slide 3 text

https://robots.thoughtbot.com/ pgp-and-you

Slide 4

Slide 4 text

Getting GPGTools • Download from https://gpgtools.org • Get from one of the USBs I’ve handed out

Slide 5

Slide 5 text

Verify Package

Slide 6

Slide 6 text

With Trusted GPG • Download GPG signature from https://gpgtools.org • Verify signature ﬁngerprint • Import GPGTools developer key from https://gpgtools.org gpg --verify GPG_Suite-2015.03-b6.dmg.sig \ GPG_Suite-2015.03-b6.dmg

Slide 7

Slide 7 text

Otherwise…

Slide 8

Slide 8 text

Verify SHA of package against published website shasum GPG_Suite-2015.03-b6.dmg

Slide 9

Slide 9 text

Mount .dmg

Slide 10

Slide 10 text

Double Click Install and follow instructions

Slide 11

Slide 11 text

Build Keypairs and Upload Public Keys

Slide 12

Slide 12 text

Keypair?

Slide 13

Slide 13 text

A keypair is composed of two parts

Slide 14

Slide 14 text

Public key

Slide 15

Slide 15 text

Private key

Slide 16

Slide 16 text

More secure than single key algorithms

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

Sign Git Commits

Slide 19

Slide 19 text

Conﬁguration

Slide 20

Slide 20 text

git config --global \ commit.gpgsign true

Slide 21

Slide 21 text

git config --global \ user.signingkey \ "Caleb Thompson "

Slide 22

Slide 22 text

Using Git ~with~

Slide 23

Slide 23 text

git log --show-signatures

Slide 24

Slide 24 text

git show --show-signatures

Slide 25

Slide 25 text

git tag --verify [tag]

Slide 26

Slide 26 text

Why?

Slide 27

Slide 27 text

Signed commit says I wrote this; here’s proof

Slide 28

Slide 28 text

Signed tag says I released this; here’s proof

Slide 29

Slide 29 text

Get your signature in as many places as possible • GPG can auto-download keys to verify sigs • More ways to establish trust

Slide 30

Slide 30 text

It’s easy, so why not?

Slide 31

Slide 31 text

Gems

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Gem::Security

Slide 34

Slide 34 text

Default no veriﬁcation when installing gems

Slide 35

Slide 35 text

Uses OpenSSL keys • Same sort of keys used for SSL / HTTPS keys • Unfortunately, same sort of keys used for SSL/HTTPS keys, which have no good distribution system

Slide 36

Slide 36 text

Uses certiﬁcate authorities • Doesn’t take advantage of much larger PGP WoT • Requires you to trust a CA manually

Slide 37

Slide 37 text

Private keys not encrypted

Slide 38

Slide 38 text

Keys are self-signed

Slide 39

Slide 39 text

Need Trust Path

Slide 40

Slide 40 text

No Keyservers

Slide 41

Slide 41 text

Can't specify system-wide trust

Slide 42

Slide 42 text

Signatures included in gem pg-0.18.1.gem !"" checksums.yaml.gz !"" checksums.yaml.gz.sig !"" data.tar.gz !"" data.tar.gz.sig !"" metadata.gz #"" metadata.gz.sig

Slide 43

Slide 43 text

Required Reading • Signing gems on Gem::Security docs (formatted) • rubygems-developers mailing list thread on gem signing • rubygems-openpgp • We Need to Sign Ruby Gems! But How? • Nobody Cares About Signed Gems (archive.org)

Slide 44

Slide 44 text

Who else?

Slide 45

Slide 45 text

Manually

Slide 46

Slide 46 text

Aptitude, Homebrew, etc. automate this • aptitude uses gpg to verify • Homebrew checks SHAs of installed packages • RVM distributes signature and automatically veriﬁes during installation

Slide 47

Slide 47 text

Need automatic verification before installation • Should verify signature • Should be configurable to verify trust • Should fail to install if unverifiable

Slide 48

Slide 48 text

Need stronger Web of Trust connections throughout the community

Slide 49

Slide 49 text

Need stronger Web of Trust connections throughout the community

Slide 50

Slide 50 text

better tools support

Slide 51

Slide 51 text

Rubygems

Slide 52

Slide 52 text

GitHub commit 84d9f998dbbb514c6c127ba91e800c34e8885e35 gpg: Signature made Wed Jan 14 09:56:52 2015 CST using RSA key ID A0ACE70A gpg: Good signature from "Caleb Thompson " [ultimate] gpg: aka "Caleb Thompson " [ultimate] gpg: aka "Caleb Thompson " [ultimate] Author: Caleb Thompson Date: Wed Jan 14 09:55:45 2015 -0600 Connect A0ACE70A and @calebthompson

Slide 53

Slide 53 text

Claim Social Accounts pub 2048R/A0ACE70A 2013-08-12 Key fingerprint = B432 C068 2FD1 C2D0 6A8B 3951 1621 ADC2 A0AC E70A uid [ultimate] Caleb Thompson uid [ultimate] Caleb Thompson uid [ultimate] Caleb Thompson uid [ultimate] @calebthompson (https://twitter.com/calebthompson/status/) uid [ultimate] @calebthompson (https://github.com/calebthompson/i-am) sub 2048R/545CA4DF 2013-08-12 sub 4096R/379AE326 2015-02-09

Slide 54

Slide 54 text

Display veriﬁed commits by @username

Slide 55

Slide 55 text

Signing Keys

Slide 56

Slide 56 text

Like signing a message

Slide 57

Slide 57 text

Has different semantic meaning:

Slide 58

Slide 58 text

Assert that you’ve veriﬁed owner identity (driver’s licence, passport, etc.)

Slide 59

Slide 59 text

Assert that you’ve veriﬁed that you have the right key

Slide 60

Slide 60 text

Assert that you’ve veriﬁed ownership (can use private key)

Slide 61

Slide 61 text

Assert that you’ve veriﬁed ownership (can use private key) • (It’s less common to actually do this step)

Slide 62

Slide 62 text

Announces to the world that if they trust you to verify these things, they

Slide 63

Slide 63 text

Fundamental to the Web of Trust

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

Get the key • Mine is included on the USB • Usually you ﬁnd it online as a .asc ﬁle someone points to, or on a keyserver

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

B432 C068 2FD1 C2D0 6A8B 3951 1621 ADC2 A0AC E70A

Slide 70

Slide 70 text

No content

Slide 71

Slide 71 text

Upload to keyserver

Slide 72

Slide 72 text

Exchange Key Fingerprints and Verify IDs