-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release signing keys may be poisoned #29531
Comments
☝️ I volunteer to implement the proposed solution above, but will need copies of the release team's public keys in order to do so. |
Discussion on this issue continues in nodejs/build#1913 -- keeping this issue around for reference, since this repo's README.md will need an update and it would be helpful to have an issue for the PR to reference. |
Hi! This issue hasn't seen any activity in a while, and it looks like the issue was resolved, is it okay to close this issue? |
The "bottom line" of this issue has been resolved -- SKS keyservers are no longer part of the release verification documentation. However, the class of vulnerability intended to be mitigated by the nodejs/release-keys repo remains -- the documented flow for release verification depends on an third-party service (i.e: a service not maintained or influenced by the Node.js release team). The nodejs/release-keys repo is not cross-referenced in https://github.com/nodejs/node?tab=readme-ov-file#verifying-binaries -- instead, references to SKS keyservers have simply been replaced with keys.openpgp.org. Thus, while the nodejs/release-keys repo does exist and is actively maintained, since it is not mentioned in the Node.js README for release verification, most users will likely not find it. |
Got it. Feel free to open a PR to add the missing docs! |
This is not an issue with Node.js itself, but rather with the manner in which the release team's keys are currently distributed.
Impact
Automated installations of Node.js binaries which depend upon the documented method of verifying release signatures are no longer functional. No suitable alternatives currently exist for obtaining public keys of the Node.js release team.
Any tools which continue to rely on the SKS keyserver network may be rendered unusable by certificates poisoned via CVE-2019-13050.
Bottom Line
The SKS keyserver network is no longer a viable option for distributing release keys.
Details
With the recent and unmitigated death of the SKS keyserver network (in CVE-2019-13050), the documented method of obtaining the PGP public keys of the release team is no longer viable, and in fact may have dire consequences to an OpenPGP installation. A different method of distributing release keys, or even of signing and verifying the release package itself, is necessary.
Proposed Solution
For minimal impact, my recommendation would be to place the public keys or authorized releasers within this repo, under a /keys directory, in a manner similar to that of signed RubyGems (except instead of X.509 certificates in a certs/ directory, we'd be talking about ASCII-armored PGP certificates in a keys/ directory), and update the README with instructions on how to import those keys into the OpenGPG keychain from the repo instead of from the SKS keyserver network.
Alternatively, or in addition to the above, publishing these keys to nodejs.org may also provide a second factor to build assurance of the keys' integrity.
The text was updated successfully, but these errors were encountered: