Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122882
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id D51C11A009D
	for <internals@lists.php.net>; Tue,  2 Apr 2024 17:27:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1712078897; bh=vlYdT1gN2Sz2fP1WM/dD8dIJkVM0nRi4SzqJaQ4P1Gs=;
	h=References:In-Reply-To:From:Date:Subject:To:From;
	b=nlpbg33HbSRhwKRR4pyY/O7d+kFGL0BYWPi0BvlpcH65JMG461uzbfPeHVlyVtZI4
	 Z2eANqZb53xxB6HZeU7urzs4wt89LKBgaxYpaNG5XZ8PdEcDv3DSG4nkciF1G22COJ
	 049Bnhxi/39AZuWhOg7FVTsq43L/tIydXX2w3SB58dB5bo1cimzM1ZloNu3IcgA2Az
	 375aVMAQty8pEUPj8Mb8btjSrEXN/pSsOIaX/2PNt+BuMkOdMvmHufDak3pTA5Pk77
	 Cg1qZTdWRdRPfLh6+k0fDoedj9xk0UJnkjhs29Ri+MrbdfQSJH9WvFvnZ0UFivzbvU
	 c6LxmVP6kB/dA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C013F1801E3
	for <internals@lists.php.net>; Tue,  2 Apr 2024 17:28:15 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <tovilo.ilija@gmail.com>
Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  2 Apr 2024 17:28:12 +0000 (UTC)
Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-6992275ad37so2238676d6.2
        for <internals@lists.php.net>; Tue, 02 Apr 2024 10:27:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1712078863; x=1712683663; darn=lists.php.net;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=vlYdT1gN2Sz2fP1WM/dD8dIJkVM0nRi4SzqJaQ4P1Gs=;
        b=hHbDps6zi+x8+625a4mnVuEcqrvNenJ26AUhNJykjZqQN6oUiGO6WHM5gqJTuOCxgn
         MXWyaCQxIjIzRxbOoQ85qNN0LTGGslNIu31a9DB4MlI82n9HQ2yjCJs/Z0A7GOmNItCo
         jIF/6W4gHC02DQgjtX3QmdnmZ8PrCBUPZku8N4rcx85qdwgbMwr+axQzQrvekukpAruN
         UUqL8UVbTAg6fmVdOcQE7mrShh20s547HpkHr5QyiHARRI1s4WUp37TVT1rGq5eqOEH5
         nA9uDJ6SjUuhgdjMMWuxYDJqGjoApMGBEifbjzOcBAltIW97RKT/DddjCLtkrEM4hJU8
         dehg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712078863; x=1712683663;
        h=content-transfer-encoding:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=vlYdT1gN2Sz2fP1WM/dD8dIJkVM0nRi4SzqJaQ4P1Gs=;
        b=fhn9/ggLivSB6RUfMlkDKYT0w7c4EpG5p2PG3DAIAS+EdDtDTgq7rdiyuTGu4GsAW7
         VBTmCVcN2zSalgJozuBz+fq4aHWL3y8kuxdrp1G7/z9ckALrpGfGXOALIU1pxeXfPrem
         mUg2V8DucpfJjacKUDB9OsPC8eLqwCRUoWEeL0RtGqh4u4x52VALTCRybXV6NQ5F0alO
         rYblZDUIwx+AA6GYlfPWoQL7KPP22YfXaVUmHug/ho/v2LWA6XkOhO83FgDJI5O0zS16
         4Fi2AVpUjLwcRtbl1r+7XtBgXfIMv2+jrpeRY68DaC2gXz8uHuaDwzXOyw1HEonHuo/g
         hG6w==
X-Gm-Message-State: AOJu0YxbtNKphed68mms6YmuEr23qLEns91sSUDkWg1jib0rKPg8s9II
	VH+9qU+0yFpGj2Blg3A2mdo1dTf3rbjVltp5MtPZmwrWng/LhrOOzIcvh96U7IXHXII/SVFtieN
	sCanR3n5nwocsjAcWB6sgElzBtmdH3Y4V26tXt6yf
X-Google-Smtp-Source: AGHT+IHHcfFazCH4aiCbyIR9oM0TD32IR6j4wkRWjcwcMA94KCHUXt9jf4HjhBuKOx3oOQWE2tUNh/5+1Cj7syBfc5w=
X-Received: by 2002:a0c:c783:0:b0:698:feb6:3d2 with SMTP id
 k3-20020a0cc783000000b00698feb603d2mr8023920qvj.10.1712078863588; Tue, 02 Apr
 2024 10:27:43 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
References: <3e988b3b-65b8-13d3-16cf-1296bfdd7ed2@php.net>
In-Reply-To: <3e988b3b-65b8-13d3-16cf-1296bfdd7ed2@php.net>
Date: Tue, 2 Apr 2024 19:27:32 +0200
Message-ID: <CAPyj-LC9Ygr0vNB3RyTKmmYmq1VbNgzDS_J3bq6NaoXD1YaMhQ@mail.gmail.com>
Subject: Re: [PHP-DEV] Requiring GPG Commit Signing
To: PHP Developers Mailing List <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
From: tovilo.ilija@gmail.com (Ilija Tovilo)

Hi Derick

On Tue, Apr 2, 2024 at 4:15=E2=80=AFPM Derick Rethans <derick@php.net> wrot=
e:
>
> What do y'all think about requiring GPG signed commits for the php-src
> repository?

Let me repost my internal response for visibility.

I'm currently struggling to understand what kind of attack signing
commits prevents.

If your GitHub account is compromised, GitHub allows the attacker to
commit via web interface and will happily sign their commits with a
gpg key auto-generated for your account.

See: https://docs.github.com/en/authentication/managing-commit-signature-ve=
rification/about-commit-signature-verification

> GitHub will automatically use GPG to sign commits you make using the web =
interface. Commits signed by GitHub will have a verified status. You can ve=
rify the signature locally using the public key available at https://github=
.com/web-flow.gpg.

Even if this wasn't the case, the attacker may simply register their
own gpg key in your account, with the commits appearing as verified.

If your ssh key is compromised instead, and you use ssh to sign your
commits, the attacker may sign their malicious commits with that same
key they may use to push.

The only thing this really seems to prevent is pushing commits via a
compromised ssh key, while commits need to be signed with gpg. If
that's the intention, we should require using gpg rather than ssh for
signing (or using a different ssh key, I suppose). Additionally, it
may help for people who push via HTTP+auth token, but that's probably
not advisable in the first place.

Something that may also help is restricting pushes to patch branches
(PHP-x.y.z) to release managers. These branches are not commonly
looked at by the public, and so it may be easier to sneak malicious
commits into them.

In addition, we should keep GitHub privileges narrow, especially
branch protection configuration.

As mentioned by others, this does not prevent the xz issue. But paired
with an auto-deployment solution, it could definitely help. It would
be even better if release managers cannot change CI, and CI
maintainers cannot create releases, as this essentially enforces the
4-eyes principle. The former may be hard to enforce, as CI lives in
the same repository.

Another solution might be to require PRs, and PR verifications. But
this will inevitably create overhead for maintainers.

Ilija