Title: Release signing keys may be poisoned · Issue #29531 · nodejs/node · GitHub
Open Graph Title: Release signing keys may be poisoned · Issue #29531 · nodejs/node
X Title: Release signing keys may be poisoned · Issue #29531 · nodejs/node
Description: 💡 Initially reported in this comment, but I felt it warranted an issue of its own given the age of the issue on which it is attached. This is not an issue with Node.js itself, but rather with the manner in which the release team's keys a...
Open Graph Description: 💡 Initially reported in this comment, but I felt it warranted an issue of its own given the age of the issue on which it is attached. This is not an issue with Node.js itself, but rather with the m...
X Description: 💡 Initially reported in this comment, but I felt it warranted an issue of its own given the age of the issue on which it is attached. This is not an issue with Node.js itself, but rather with the m...
Opengraph URL: https://github.com/nodejs/node/issues/29531
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Release signing keys may be poisoned","articleBody":"\u003e :bulb: Initially reported in [this comment](https://github.com/nodejs/node/issues/709#issuecomment-530606948), but I felt it warranted an issue of its own given the age of the issue on which it is attached.\r\n\r\nThis is not an issue with Node.js itself, but rather with the manner in which the release team's keys are currently distributed.\r\n\r\n## Impact\r\n\r\nAutomated installations of Node.js binaries which depend upon the documented method of verifying release signatures are no longer functional. No suitable alternatives currently exist for obtaining public keys of the Node.js release team.\r\n\r\nAny tools which continue to rely on the SKS keyserver network may be rendered unusable by certificates poisoned via CVE-2019-13050.\r\n\r\n## Bottom Line\r\n\r\nThe SKS keyserver network is no longer a viable option for distributing release keys.\r\n\r\n## Details\r\n\r\nWith the recent and unmitigated [death](https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it) of the [SKS keyserver network](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#the-consequences) (in [CVE-2019-13050](https://nvd.nist.gov/vuln/detail/CVE-2019-13050)), the [documented method](https://github.com/nodejs/node#release-keys) of obtaining the PGP public keys of the release team is no longer viable, and in fact may have [dire consequences to an OpenPGP installation](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigations). A different method of [distributing release keys](https://keys.openpgp.org/), or even of [signing and verifying](https://jedisct1.github.io/minisign/) the release package itself, is necessary.\r\n\r\n## Proposed Solution\r\n\r\nFor minimal impact, my recommendation would be to place the public keys or authorized releasers within this repo, under a **/keys** directory, in a manner similar to that of [signed RubyGems](https://guides.rubygems.org/security/#building-gems) (except instead of X.509 certificates in a *certs/* directory, we'd be talking about ASCII-armored PGP certificates in a *keys/* directory), and update the README with instructions on how to import those keys into the OpenGPG keychain from the repo instead of from the SKS keyserver network.\r\n\r\nAlternatively, or in addition to the above, publishing these keys to nodejs.org may also provide a second factor to build assurance of the keys' integrity.\r\n\r\n\u003e :bulb: Especially paranoid users may want to seek additional verification from unaffiliated yet equally trusted soruces by fetching and comparing keys from those sources as well.\r\n","author":{"url":"https://github.com/canterberry","@type":"Person","name":"canterberry"},"datePublished":"2019-09-12T00:09:24.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":5},"url":"https://github.com/29531/node/issues/29531"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:3b05fd45-cafb-f7ba-80eb-0430e493e3fd |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 8B58:2DB422:EE465C:1474D25:6A4DD871 |
| html-safe-nonce | 5a1cc41dfaa9eaf369b630cf5b19f6c19f8623568396679d60ad9026bad4c04c |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4QjU4OjJEQjQyMjpFRTQ2NUM6MTQ3NEQyNTo2QTRERDg3MSIsInZpc2l0b3JfaWQiOiIyOTQyNzI2MTUyMzY2MjI0NDkiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 6504099b3fa4ae1b5801e4946b91074a5ad1d426323c6a2abee98ae6cbb7aeaf |
| hovercard-subject-tag | issue:492522511 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/29531/issue_layout |
| twitter:image | https://opengraph.githubassets.com/7b08a786125753f6119a827e42792fa4af632f25f8199e0cca5e2a79f739ee8f/nodejs/node/issues/29531 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/7b08a786125753f6119a827e42792fa4af632f25f8199e0cca5e2a79f739ee8f/nodejs/node/issues/29531 |
| og:image:alt | 💡 Initially reported in this comment, but I felt it warranted an issue of its own given the age of the issue on which it is attached. This is not an issue with Node.js itself, but rather with the m... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | canterberry |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/nodejs/node git https://github.com/nodejs/node.git |
| octolytics-dimension-user_id | 9950313 |
| octolytics-dimension-user_login | nodejs |
| octolytics-dimension-repository_id | 27193779 |
| octolytics-dimension-repository_nwo | nodejs/node |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 27193779 |
| octolytics-dimension-repository_network_root_nwo | nodejs/node |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | canary-2 |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width