Brian Gough’s Notes

occasional GNU-related news

2048-bit GPG Smartcards and Package Signing

I received a new 2048-bit RSA version 2 GPG smartcard today (ordered from Kernel Concepts). Previously I was using the older version 1.0 and 1.1 smartcards, with 1024-bit keys.

I’ve been signing software releases with a GPG smartcard for several years now (before that, with a key stored on disk) and have been migrating my systems over to smartcards for keysigning and SSH. The ultimate goal is to not have any keys stored on disk on any network accessible machine. I also verify the signatures of sources that I download as far as possible, through the web of trust. Initially this was pretty restrictive but after a few years making an effort to keysign at conferences, I’m able to check most packages.

During the keysigning session at the FSF’s LibrePlanet conference last month in Boston, Bradley Kuhn mentioned that he had actually built a basic working GNU/Linux system from scratch for crypto purposes, verifying all of the package signatures through people he had keysigned with — quite an achievement. I am inspired to follow in his footsteps and only use verified source-code.

Unfortunately, as far as I can tell — and I’m ready to be corrected here — neither GNOME nor KDE sign their source releases, which does concern me. Considering that most other projects have been signing releases for years, this appears to be an anomaly that I find hard to understand.

My personal motivation for better security dates back to 2003 when it was discovered that someone (or group) had cracked the ftp.gnu.org server and had root access for over 3 months without being detected. As a result every maintainer had to do a complete audit of all files on the server, which was an extremely timeconsuming process. This incident led to the requirement for all source packages on ftp.gnu.org to be gpg-signed by the developer.

Version 2 GPG Smartcard:

gpgcard2frontsmall

gpgcard2backsmall