On Wed, Feb 26, 2020 at 05:04:42PM -0400, Jason Gunthorpe wrote: > > - developer does all their work on a remote VM that doesn't have > > access to their PGP keys and submits actual attestation when they > > get back to their workstation > > Unfortunately this is a challenging work flow for a lot of reasons. :( Can you describe why? I would expect that this is done fairly routinely due to having more compute power on a remote VM to run various tests. > > - developer configures their smartcard to require a PIN during each > > operation and disables the pgp-agent; sending a series of 40 patches > > requires a single PIN entry instead of 40 > > This is certainly my situation, my PGP key lives in a yubikey token > configured for physical presence to confirm. :\ I'm in the same boat. :) > > - developer submits a v1 of the patch that they don't expect to pass on > > the first try and doesn't bother submitting attestation; shockingly, > > the maintainer accepts it as-is and the developer can attest their > > patches post-fact *without* needing to collect all the acked-by's > > reviewed-by's etc from all others who have already responded to the v1 > > submission > > But there won't be tags in this case, so how do we learn the original > attestation-id to find the detatched signature? The attestation would be performed before all the follow-up tags are applied, so the attestation-id would be the same. After the patch is applied to a git repository, we can still use the "i" hash to look it up (see more below). > > For example, a maintainer will almost certainly edit the message > > content to add their own Signed-off-by, and may edit the patch for > > minor nitpicking. > > The i/p/m will always change once in git: > - The commit message is always changed, at least to add sign off > - The email Subject is always changed to strip [PATCH xxx] This is already done by "git mailinfo" so I would expect that the i: hash almost never changes, actually, unless the maintainer actually edits the subject. Subject + Author + Email are sufficiently unique to be able to locate the attestation data of the exact patch. > If we know the expected ID then you could do some fuzzy scheme to > cancel out, or at least check, the differences.. > > We have many patches now that have Link: trailer. I think it would be > useful to run some analysis: > - Fetch the original patch email from the Link and compute the > detached signature hashes > - Attempt to validate this sigature against the git commit > - Is there a fuzzy algorithm that brings this rate higher? So, the goal is not really to perform attestation once the patches made it into the git tree. I am specifically trying to address the following cases: - Someone poses as a trusted developer and submits a malicious patch - Someone bribes me to edit a patch on lore.kernel.org to introduce a backdoor Currently, maintainers have no mechanism to check against either of these cases. Adopting end-to-end patch attestation resolves both problems. > > Full i-m-p attestation will fail in this case, but we can then query > > the signatures archive for each individual hash to identify which > > part of the submission fails validation: > > https://lore.kernel.org/signatures/?q=2a02abe02216f626105622aee2f26ab10c155b6442e23441d90fc5fe4071b86e > > > > This lets us present the maintainer with more useful info, like: "full > > attestation failed, but the only changed part is actually the message > > and not the patch content, so it's probably still okay to apply." > > How does the message body get changed in transit from the submitter to > the maintainer? It shouldn't, because this means that the patch becomes mangled. We do perform a single normalization routine, which is converting all '\r\n' into '\n'. Any other changes done to bodies mean broken patches. -K
