PGP Signatures for Downloads?

[EvilJoel]

I was wondering if the OA developers would be willing to start PGP signing their releases and making their signing keys available in some secure manner.  Lately I have started to get more involved in political activism and am starting to be worried I might be targeted by state sponsored hackers at some point.  It is important for me to do know that executables I download are the same files the developer intended for me to get.  PGP is a great and relatively inexpensive way to do download verification.  It is also pretty much the standard in the open source and Linux community

The md5sum on the download page is insufficient for verification purposes.  First, the md5sum is displayed on a non-https page and could potentially be changed when I download it.  Second, md5 is known to be vulnerable to a length extension attack.

I'm willing to answer any questions you have about PGP and am willing to walk you through getting setup with it.  Thanks for considering my request.

[asmanel]

If I understand you well, you want a more secure download protocol.

There already are several ways to download OA, inluding the peer to peer one and the more common http one. Add an https+ PGP way sound good.

However, face to pirates (I think call "hacker" any computing pirate is as absurd as call "murderer" any gun owner), I don't believe the risk zero exists.

Theorically, the lowest possible level of risks remain download and recompile the source code, but it rarely is an easy way.

[grey matter]

EvilJoel is asking for a way to verify that the files that he obtained via whatever means (http, https, torrent, floppy disk) are the same that have been released by the OA devs. Given that the file signature is distributed via some trustworthy method (e.g. web of trust, posting one's public keys on his blog/twitter/website etc.) it does not really matter whether the signed file is downloaded via an insecure channel.

While I like the suggestion of using GPG signatures, they are not really making your OA downloads that much more secure.
You should be worried the most about OA's code, which is what will be executed on your system. While OA is open source, you'd still need to reliably link binary releases to source code revisions. Then again there is a very small number of or developers/committers and a larger number of upstream (ioquake3) ones and no formal source code review. Do you trust all of them?
Given that there is usually one person to prepare and release specific OA downloads, you'd have to fully trust that single person not to sneak in any malicious code or content or being targeted by hackers himself (malicious compiler anyone?). You'd also need to trust OA game server operators not to try pushing malicious code onto you via autodownloaded files (though you could disable downloads).

This list could be extended some more, so I fail to see the real value in signed OA downloads. Time is short and I'd guess there are other priorities for OA devs. While it might not seem to take long to just gpg sign files, there's still many thing that could compromise that intent which do take a long time to fix/prevent.

[EvilJoel]

While I like the suggestion of using GPG signatures, they are not really making your OA downloads that much more secure.
You should be worried the most about OA's code, which is what will be executed on your system.

I disagree.  I trust the ioquake3 and Open Arena developers and there are a lot of people looking at this code.  I am more worried about the zip file getting swapped out during unencrypted transport.  I do not think this scenario is as far fetched as you might expect.

I believe it is now generally accepted that binary code should be signed in some way.  Microsoft does it with all their binary packages.  Actually most 'for purchase' code distributed for Windows is digitally signed.  Many Linux software packages are also signed by the developers who release them.  I am asking for the OA developers to follow the trend of the software industry and also digitally sign their binaries.

[fromhell]

You could always get the zip file, delete the binaries in there, fetch the source of the engine elsewhere and compile yourself.


I understand paranoia and unfortunately I can't commit myself to vexing issues about it... though if it's about a MD5sum being manipulated, maybe a PNG image of the MD5sum could also work.  You can also crosscheck this md5sum with some of the mirrors that also provide the same zip file.

Also signing is expensive, and since this project is primarily a  data project for the content rather than the code, and you can't sign a QVM file... it doesn't hold a lot of concern for my more critical art priorities.  Don't think there should be much 'tampering' with pk3s though, since to play online, checksum protection is required for clients to connect.

[EvilJoel]

Also signing is expensive.

Expensive as in cost?  No, PGP signing is free.  Also, you can throw the signer's public key up on github which provides a free HTTPS secure download.  Also, I am pretty sure signing the 500 MB download will take seconds.

Now, I will admit figuring out how to use GPG (the GNU version of PGP) is kind of difficult.  Honestly, it takes at least 8 hours of reading.  However, I'm available to answer any questions any of you might have about this process.

[grey matter]

You could always get the zip file, delete the binaries in there, fetch the source of the engine elsewhere and compile yourself.

This assumes that content such as QVM files do no harm. There can always be bugs with ioq3's vm interpreter, x86 compiler, libpng, libvorbis etc.
The sourcecode of OA in neither SVN nor Git is signed and as such equally untrusted.

I understand paranoia and unfortunately I can't commit myself to vexing issues about it... though if it's about a MD5sum being manipulated, maybe a PNG image of the MD5sum could also work.  You can also crosscheck this md5sum with some of the mirrors that also provide the same zip file.

A targeted attack on the openarena.ws website could just as easily replace any images (you'll want TLS, DNSSEC and whatnot).
md5 is broken.
You can not rely on mirrors if the primary file on openarena.ws is poisoned or the mirrors might just be targeted as well.

Also signing is expensive, and since this project is primarily a  data project for the content rather than the code, and you can't sign a QVM file... it doesn't hold a lot of concern for my more critical art priorities.  Don't think there should be much 'tampering' with pk3s though, since to play online, checksum protection is required for clients to connect.

Signing with PGP/GPG does not require a certificate which is backed by some trusted CA, as it works via the web of trust.
There's no need to sign individual files, you could either sign their enclosing .pk3 or just the whole oa.zip.
The pure pak CRC is trivial to fool, just look at Debian's ioq3 fork using shared libraries.

May I suggest to post somewhat secure checksums such as sha256 on some known website (e.g. OA's GitHub wiki via https)?
This does not require getting familiar with PGP and provides some level of trust while being just an additional command to the usual md5sum.

[EvilJoel]

Yeah, I agree with the above poster.  There are other ways to do secure downloads (although I believe PGP is the best and least expensive way to do it).  HTTPS would be acceptable but more costly and there are known problems with HTTPS (because it has a single point of failure and companies have been known to be less than trustworthy with their root certificates).  However, despite its problems, HTTPS is still the industry standard security method.

I'm not asking the OA develoeprs to participate in the Web of Trust.  Realistically, the web of trust hasn't really worked and it certainly would take a lot of effort to build that network.  For signing key verification, I would like them to post their public key on a secure site, or their fingerprint on a secure site, or maybe just post their fingerprint on several different insecure sites to make it hard for someone to spoof their signature.

At the very least, could the OA developers post a sha256sum on their download page in addtional to the md5sum?  As I said, md5 has a known security problem.  sha256sum is still generally believed to be secure.  (This isn't nearly as good as a PGP signed download, but it is at least a step in the right direction.)Yeah, I agree with the above poster.  There are other ways to do secure downloads (although I believe PGP is the best and least expensive way to do it).  HTTPS would be acceptable but a bit more