diff --git a/developer-security-hygiene.md b/developer-security-hygiene.md index a5645a9..985dfb9 100644 --- a/developer-security-hygiene.md +++ b/developer-security-hygiene.md @@ -49,7 +49,18 @@ Remember, these are only guidelines. If you feel these priority levels do not reflect your project's commitment to security, you should adjust them as you see fit. -## PGP and Free Software development +## Basic PGP concepts and tools + +### Checklist + +- [ ] Understand the role of PGP in Free Software Development _(ESSENTIAL)_ +- [ ] Understand the basics of Public Key Cryptography _(ESSENTIAL)_ +- [ ] Understand PGP Encryption vs. Signatures _(ESSENTIAL)_ +- [ ] Understand PGP key identities _(ESSENTIAL)_ +- [ ] Understand PGP key validity _(ESSENTIAL)_ +- [ ] Install GnuPG utilities (version 2.x) _(ESSENTIAL)_ + +### Considerations The Free Software community has long relied on PGP for assuring the authenticity and integrity of software products it produced. You may not be @@ -64,6 +75,9 @@ environment: released software archives, so that downstream projects can verify the integrity of downloaded releases before integrating them into their own distributed downloads. +- Free Software projects routinely rely on PGP signatures within the code + itself in order to track provenance and verify integrity of code commits + by project developers. This is very similar to developer certificates/code signing mechanisms used by programmers working on proprietary platforms. In fact, the core concepts @@ -72,15 +86,19 @@ the technical aspects of the implementation and the way they delegate trust. PGP does not rely on centralized Certification Authorities, but instead lets each user assign their own trust to each certificate. -### Extremely Basic Overview of PGP +Our goal is to get your project on board using PGP for code provenance and +integrity tracking, following best practices and observing basic security +precautions. + +### Extremely Basic Overview of PGP operations You do not need to know the exact details of how PGP works -- understanding -the core concepts is enough to be able to use it successfully. PGP relies on -Public Key Cryptography to convert plain text into encrypted text. This -process requires two distinct keys: +the core concepts is enough to be able to use it successfully for our +purposes. PGP relies on Public Key Cryptography to convert plain text into +encrypted text. This process requires two distinct keys: -- A public key that is known to everyone -- A private key that is only known to the owner +- A public key that is _known to everyone_ +- A private key that is _only known to the owner_ #### Encryption @@ -119,3 +137,114 @@ Frequently, encrypted messages are also signed with the sender's own PGP key. This should be the default whenever using encrypted messaging, as encryption without authentication is not very meaningful (unless you are a whistleblower or a secret agent). + +### Understanding Key Identities + +Each PGP key must have one or multiple Identities associated with it. Usually, +an "Identity" is the person's full name and email address in the following +format: + + Alice Engineer + +Sometimes it will also contain a comment in brackets, to tell the end-user +more about that particular key: + + Bob Designer (obsolete 1024-bit key) + +Since people can be associated with multiple professional and personal +entities, they can have multiple identities on the same key: + + Alice Engineer + Alice Engineer + Alice Engineer + +When multiple identities are used, one of them would be marked as the "primary +identity" to make searching easier. + +### Understanding Key Validity + +To be able to use someone else's public key for encryption or verification, +you need to be sure that it actually belongs to the right person (Alice) and +not to an impostor (Eve). In PGP, this certainty is called "key validity:" + +- **Validity: full** -- means we are pretty sure this key belongs to Alice +- **Validity: marginal** -- means we are *somewhat* sure this key belongs to + Alice +- **Validity: uknown** -- means there is no assurance at all that this key + belongs to Alice + +#### Web of Trust (WoT) vs. Trust on First Use (TOFU) + +PGP uses a trust delegation mechanism known as the "Web of Trust." At its +core, this is an attempt to replace the need for centralized Certification +Authorities of the HTTPS/TLS world. Instead of various software makers +dictating who should be your trusted certification authorities, PGP leaves +this responsibility to each user. + +Unfortunately, very few people understand how the Web of Trust works, and even +fewer bother to keep it going. It remains an important aspect of the OpenPGP +specification, but recent versions of GnuPG (2.2 and above) have implemented +an alternative mechanism called "Trust on First Use" (TOFU). + +You can think of TOFU as "the SSH-like approach to trust." With SSH, the first +time you connect to a remote system, its key fingerprint is recorded and +remembered. If the key changes in the future, the SSH client will alert you +and refuse to connect, forcing you to make a decision on whether you choose to +trust the changed key or not. + +Similarly, the first time you import someone's PGP key, it is assumed to be +trusted. If at any point in the future GnuPG comes across another key with the +same identity, both the previously imported key and the new key will be marked +as invalid and you will need to manually figure out which one to trust. + +In this guide, we will be using the TOFU trust model. + +### Installing OpenPGP software + +First, it is important to understand the distinction between PGP, OpenPGP, +GnuPG and gpg: + +- **PGP** ("Pretty Good Privacy") is the name of the original commercial software +- **OpenPGP** is the IETF standard compatible with the original PGP tool +- **GnuPG** ("Gnu Privacy Guard") is free software that implements the OpenPGP + standard +- The command-line tool for GnuPG is called "**gpg**" + +Today, the term "PGP" is almost always used to mean "the OpenPGP standard," +not the original commercial software, and therefore "PGP" and "OpenPGP" are +interchangeable. The terms "GnuPG" and "gpg" should only be used when +referring to the tools, not to the output they produce or OpenPGP features +they implement. For example: + +- PGP (not GnuPG or GPG) key +- PGP (not GnuPG or GPG) signature +- PGP (not GnuPG or GPG) keyserver + +Understanding this should protect you from an inevitable pedantic "actually" +from other PGP users you come across. + +#### Installing GnuPG + +If you are using Linux, you should already have GnuPG installed. On a Mac, +you should install [GPG-Suite](https://gpgtools.org). For all other platforms, +you'll need to do your own research to find the correct places to download and +install GnuPG. + +##### GnuPG 1 vs. 2 + +Both GnuPG v.1 and GnuPG v.2 implement the same standard, but they provide +incompatible libraries and command-line tools, so many distributions ship both +the legacy version 1 and the latest version 2. You need to make sure you are +always using GnuPG v.2. + +First, run: + + gpg --version | head -1 + +If you see `gpg (GnuPG) 1.4.x`, then you are using GnuPG v.1. Try the `gpg2` +command: + + gpg2 --version | head -1 + +If you see `gpg (GnuPG) 2.x.x`, then you are good to go. This guide will +assume you have the version 2.2 of GnuPG (or later).