Verification in AUR Land Is Security Theater

Makepkg says to verify the key 449190F3235ABD3B. I decide today is the day I stop relying on –skippgpcheck. Wonderful.

From $HOME/.makepkg.conf, I set $GNUPGHOME to a freshly created gpg directory (as there are different kinds of “trust” in the world, and mixing personal keys with makepkg keys confuses two, separate kinds). This feature is not documented in makepkg’s man pages, but a contributor to makepkg mentions it here. I then run gpg –search-keys using my original $GNUPGHOME because hey, all it does is search, and something may very well be missing from the new $GNUPGHOME. Gpg, however, gives an error about dirmngr not running. I check dirmngr.conf. I try $( gpg-connect-agent –dirmngr ). “IPC connect call failed.” Fine, that’s another problem. There are still options, though, and I step over that rabbit hole.

I decide to verify the key manually, searching the PGP public key server at MIT. That’s a pretty big one, right? Sorry, the key is not there… All right, let’s try SKS. After all, that one is recommended in the GnuPG FAQ! That counts for something, right? “No results found.” Okay… I’ll just search for the key ID using a regular, Internet search engine.

DDG returns one result, and this link isn’t even it. Fine… perhaps DDG is small-time. Perhaps their web crawlers run on bread-powered ducks. Whatever. I seek the help of a multi-billion dollar corporation, which provides five results! The first is the same result from DDG! The remaining four are two copies each of the very signature error I foolishly thought, earlier this morning, that I could resolve through mere perseverance and rational protocol. These results were posted not by humans but by logging utilities.

The package that started this whole mess has 70 votes. It has a git repo with absolutely no references to signatures or pgp keys… Well, what would you do at this point? Do you trust the single entry from the CS department at Utrecht University? Did you even know that Utrecht had a university? … Had you even heard the word “Utrecht” once in your life before today?

Most importantly, do you honestly care at this point? The listed user has “debian” in his name. I can trust that, right?

Verification in AUR Land is security theater. It is not real security, because it is not feasible. Knowledgeable users may respond by pointing out PKGBUILD’s validpgpkeys, but aksr (the uploader) is just a regular user. Why should I trust him? Because I want to view PDF files with vi-like controls, that’s why. Such baseless trust is tantamount to –skippgpcheck, the very option that will earn your relay-chatting buttocks a paddling in #archlinux.

But seriously, you should trust him. I mean, look at all these.

I pity the people who spend as much free time as I do, wrestling imaginary monsters, and I apologize to the fine citizens of the Netherlands for implying their municipalities deserve anything less than international renown.

AUR verification is security theater.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s