A lot of software is distributed with PGP keys. These can theoretically be used to verify that the software was created by the person who owns the key. (Sorry if I get the PGP details wrong, I have no practical experience with it.)

Software also comes over HTTPS. With Let’s Encrypt, the verification is tied to ownership of the domain (DNS records I think). So if you’re on ubuntu.com with HTTPS, you’re getting files only approved by whoever owns the ubuntu.com domain.

HTTPS is super convenient. If you’re paranoid, or the entire chain is not HTTPS (HTTPS links to HTTP downloads), you can use a hash program. Hash programs are implemented on all major OSs. It’s visually inspectable.

PGP on the other hand is such a mess that even some cryptographers don’t like it.

What practical threats would be stopped by a PGP key that are not stopped by HTTPS?

✅ plan A

  • good guy owns software.org
  • encrypts with let’s encrypt (only provided if they prove DNS ownership of software.org)
  • https page serves software download

✅ plan B

  • good guy owns software.org and has at some point signed a public key
  • serves page on software.org with software verifiable with PGP key import

❌ plan C

  • bad guy owns software.org
  • software is compromised, but you would never know
  • software is malware

❌ plan D

  • bad guy owns software.org
  • did not compromise the public key (created years prior by the true owner)
  • they cannot distribute software that matches the public key
  • software is malware, served over valid https, and verifiable with malware hashes served by bad guy
    • BigHeadMode@lemmy.frozeninferno.xyzOPEnglish
      11·
      13 hours ago

      Not sure what you’re getting at.

      plan A in my OP goes great. ubuntu.com has rarely if ever been compromised. They provide sha256 hashes over HTTPS via that site, see here. It’s signed with Lets Encrypt which updates every 90 days. In theory the Ubuntu PGP keys are more secure (less moving parts /attack surface) than their server, but in practice a compromise of Ubuntu.com lasting longer than 90 days would be extraordinary. Most times I see mirrors, the hashes are provided on the main site, which renders the mirrors obviously correct or incorrect. I can download an Ubuntu ISO from malware.ru and verify that it’s authentic with the sha hash.

      The only flaw I have found in plan A is plan D.

      ❌ plan D

      • bad guy owns software.org
      • did not compromise the public key (created years prior by the true owner)
      • they cannot distribute software that matches the public key
      • software is malware, served over valid https, and verifiable with malware hashes served by bad guy

      With a hash, assuming you can verify it properly, you know ubuntu.com served you what it wanted to serve you.

      Getting an md5 or sha-1 hash is pretty easy even on Windows. There’s some BS md5 or sha function built in to Windows if you know where to look. It’s built in to most unixes with commands like md5sum and shasum. Those algorithms have few if any real-world flaws, but sha256 is plenty popular now and has no(?) known flaws.

      If this is some comment in the vein of “Reflections on Trusting Trust” – there are tons of hash programs out there that can be run offline that will predate software to be hashed by years if not decades. I trust these myriad programs to provide accurate hashes.

      • wildbus8979@sh.itjust.worksEnglish
        1·
        9 hours ago

        I don’t think you understand how apt works. Anyone can roll out a mirror.

        Also, again, the hashes need verification. Trusting the transport rather than a signature is obviously going to lead to compromise somewhere in the chain.

        Look buddy, you do you. If you clearly already aren’t using the signatures provided with hashes when you use hashes, so it’s no bother to you. Apt, and I, will continue doing so.