Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122884 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 258F81A009C for ; Tue, 2 Apr 2024 17:44:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1712079908; bh=1nYIGiRztgvMxDqLDbJCL/HMxE2tCC+vfOtNtLl8ps8=; h=In-Reply-To:References:Date:From:To:Subject:From; b=BGfQPoJ35WoFeFGPtKdTBaE7CI89Dh+AvF+uHjKJkKyaGoEK9o/kDyWDkVSmUYp7r OrfjCxgekWo0PUXxPi9SA3ik/MrsFhOlvtFaNueN/UX2Xmfpk5+aXgrQceoBMwIf+q RpZ9sN79kgxtLvgmB/gmq9EplTqVihkKuXf1YxiWkI/I0Vuq459EkQAgjwkP0vkLxc iUW8ONmW9VY7EfZt3pWBszcGYnnoFMljbW68MUk+ukKrlMBIztLSyarZ5ObyRtEcRI cq0i3fQ6b+YsDbqqb1fn+Ebgew3P6H3+RTBE44PW76Hu/7sag1I8FGf8if/wJ7nnNO QQJpHjP0f26Yg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id E9D081801EE for ; Tue, 2 Apr 2024 17:45:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,RCVD_IN_DNSWL_LOW, SPF_HELO_PASS,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 2 Apr 2024 17:45:06 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 065C05C00C4 for ; Tue, 2 Apr 2024 13:44:37 -0400 (EDT) Received: from imap50 ([10.202.2.100]) by compute1.internal (MEProxy); Tue, 02 Apr 2024 13:44:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= garfieldtech.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to; s=fm2; t=1712079877; x=1712166277; bh=5VT0/Dgfhzs19t51UCrdN R5BO9ILkD6V0y5AUb03sQM=; b=tT+o5tjjihufvWqm8mqJApjtcQADB/x4i7noP hBk68XCjoSdoycYlORYPtbGqt7igJVxGISu02lOAhYxzEOiwcqCPZRbEbZz4/gU5 RyrkhhPa3HywgMWwzS8SN0gv0lXPksA5aY3FaGmFJK5+SOcImGrDYMTMhh8znY1C URuhz9EFN2DoFoVlPMbr2axFIU2IwrK6/DAwtXc3/rNxjsYJ18jWcL2ma3x4yQ4V 9qDqk7rJ3MidZ4YXISERBVuqaodPFuUhEdlYdbElXgtEhs4J5WuO6xRuTdpIP9QF Lm/1HmAH9t1Sw/UkOAh17n3oVVjMgbmeBo+IsU/Sr8htmdZPA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1712079877; x= 1712166277; bh=5VT0/Dgfhzs19t51UCrdNR5BO9ILkD6V0y5AUb03sQM=; b=n dj9+tjJBfOwG6ioZuFBXKo3up1Cx9wjWFpVyvZ6vss7UT8GVne65tLdj3FwiNGES uOLc45E2pZA/iklyAQRx0gIiXjNyukKYMRhgRtIt8KusYGL/K71j63g1ASA2SwX2 4+jgsam/o+zo6NuAT6Qocu56q4GhoTNc6b8HLT88rnjCSfuGl7QccrvyZE3/jaBy 12HaX+dSSAWxBt6CN8HGyZBEkTjvM1DS/UJvjPO1GjfTKdPMbfAn/WtMMWNVdyQ7 kTP4dVU9R27Nl9YmQkvYrcI58g4U0+halO6KpI7FzXpe+HR5Z5UFhC8zTKm5Buvh n4jsDoBArgNS1QdpSmtlA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudefvddgudduiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdfn rghrrhihucfirghrfhhivghlugdfuceolhgrrhhrhiesghgrrhhfihgvlhguthgvtghhrd gtohhmqeenucggtffrrghtthgvrhhnpefhkedtfffghfekieduhedvheefgfefheeugfdv leetteektefgteejieeltdelkeenucffohhmrghinhepghhithhhuhgsrdgtohhmnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgrrhhrhies ghgrrhhfihgvlhguthgvtghhrdgtohhm X-ME-Proxy: Feedback-ID: i8414410d:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id B4DEF1700096; Tue, 2 Apr 2024 13:44:36 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.11.0-alpha0-333-gbfea15422e-fm-20240327.001-gbfea1542 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Message-ID: In-Reply-To: References: <3e988b3b-65b8-13d3-16cf-1296bfdd7ed2@php.net> Date: Tue, 02 Apr 2024 17:44:16 +0000 To: "php internals" Subject: Re: [PHP-DEV] Requiring GPG Commit Signing Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable From: larry@garfieldtech.com ("Larry Garfield") On Tue, Apr 2, 2024, at 5:27 PM, Ilija Tovilo wrote: > Hi Derick > > On Tue, Apr 2, 2024 at 4:15=E2=80=AFPM Derick Rethans = wrote: >> >> What do y'all think about requiring GPG signed commits for the php-src >> repository? > > Let me repost my internal response for visibility. > > I'm currently struggling to understand what kind of attack signing > commits prevents. > > If your GitHub account is compromised, GitHub allows the attacker to > commit via web interface and will happily sign their commits with a > gpg key auto-generated for your account. > > See:=20 > https://docs.github.com/en/authentication/managing-commit-signature-ve= rification/about-commit-signature-verification > >> GitHub will automatically use GPG to sign commits you make using the = web interface. Commits signed by GitHub will have a verified status. You= can verify the signature locally using the public key available at http= s://github.com/web-flow.gpg. > > Even if this wasn't the case, the attacker may simply register their > own gpg key in your account, with the commits appearing as verified. > > If your ssh key is compromised instead, and you use ssh to sign your > commits, the attacker may sign their malicious commits with that same > key they may use to push. > > The only thing this really seems to prevent is pushing commits via a > compromised ssh key, while commits need to be signed with gpg. If > that's the intention, we should require using gpg rather than ssh for > signing (or using a different ssh key, I suppose). Additionally, it > may help for people who push via HTTP+auth token, but that's probably > not advisable in the first place. > > Something that may also help is restricting pushes to patch branches > (PHP-x.y.z) to release managers. These branches are not commonly > looked at by the public, and so it may be easier to sneak malicious > commits into them. > > In addition, we should keep GitHub privileges narrow, especially > branch protection configuration. > > As mentioned by others, this does not prevent the xz issue. But paired > with an auto-deployment solution, it could definitely help. It would > be even better if release managers cannot change CI, and CI > maintainers cannot create releases, as this essentially enforces the > 4-eyes principle. The former may be hard to enforce, as CI lives in > the same repository. > > Another solution might be to require PRs, and PR verifications. But > this will inevitably create overhead for maintainers. > > Ilija Coming from corporate projects at the moment, I always hard-block pushin= g straight to the master branch. Everything goes through a PR, and has = to be approved by someone other than the author, guaranteeing 4 eyes for= every line of code. And that's for internal backend services. It's always struck me as mind-boggling that a project the size of PHP do= esn't do that. Yes, it's a little more overhead, but with the larger te= am we now have (thanks to the Foundation) I believe the human-security c= hecks it gives us are well worth it. (And just from a technical standpo= int, even the best developer goofs up and needs their code reviewed by s= omeone.) I have no particular input on the code signing front, other than please = have clear documentation to follow for someone setting it up for the fir= st time as GPG has always been a UX nightmare. :-) --Larry Garfield