Re: Dave Page's PGP key

> -----Original Message-----
> From: pgadmin-hackers-owner@postgresql.org
> [mailto:pgadmin-hackers-owner@postgresql.org] On Behalf Of
> Peter Eisentraut
> Sent: 22 July 2006 02:07
> To: pgadmin-hackers@postgresql.org
> Subject: [pgadmin-hackers] Dave Page's PGP key
>
> Either I'm doing something wrong or Dave Page's PGP key that
> is used to
> sign pgAdmin releases does not have any signatures on it.  That would
> make the process of verifying the releases rather impossible.

In order to compromise those file signatures, an attacker would have to
replace my public key on the pgAdmin SVN repo (from where it propagates
out to the webservers), and somehow replace the copy on the keyservers
(which you also checked right?), in addition to rewriting each signature
on a compromised file.

Compare that to the md5sum's that Greg(?) produces of the server which
are produced some time after the build based on whatever source Greg
uses to get the tarballs which may have already been compromised (I
generate the sigs as I build the releases). There is also no way to
verify the authenticity of the sums, except checking directly with Greg.

So no, I don't believe it's impossible to verify the pgAdmin releases -
we in fact have a mechanism that's far more secure than the more common
practice of file checksumming albeit not quite as watertight as it could
be. It would be good to get some signatures on my key, but up until very
recently the only names I could have got are ones that you would never
have heard of, and thus would not have proved anything. I must speak
with Greg about that...

Regards, Dave.