PGP key recommendations for Ubuntu Development
Spyros Seimenis
spyros.seimenis at canonical.com
Thu Sep 25 12:00:33 UTC 2025
Hi everyone,
I love seeing this discussion happening here and the points raised by Aaron
because this is a topic I have argued on many times in the past. I would
like to reiterate on the value brought by hw tokens.
some developers may
> reasonably distrust such keys (vulnerabilities in the embedded
> hardware of Yubikeys have been found before), and there are other ways
> to store a GPG key in a highly secure fashion, for instance by using
> an airgapped system, or (as I plan to do in the future) a Qubes OS
> machine with an airgapped vault VM.
It is true that vulnerabilities are everywhere but in the end it is a
matter of trust. In general I would expect an air-gapped system to actually
have far more vulnerabilities compared to a hw token that is purpose-built,
as the former has a lot more components. More components usually lead to
more potential vulnerabilities. More importantly though, to trust an
air-gapped system, it needs to be able to provide verifiable claims about
itself. The OS that is running on it, the installation medium that was
used, list of each individual hw component of the machine, how they work
together, how the system has booted etc. It is very hard (maybe impossible)
to provide these sorts of claims for all potential system configurations
ubuntu developers may have and also in a format that can be verified later.
With hw keys the attestation process becomes tractable. Yes you now have to
trust the manufacturer of the hw key but this is a single extra entity
which can actually provide verifiable claims about its state.
The other argument against the air-gapped system (only) approach is that
even if you did generate your key in a highly secure air-gapped system, you
still have to have some subkey available to the system that you do work on
(which supposedly is online and not air-gapped) for i.e signing operations.
The guide already describes this. The thing is, everyone can get hacked. An
attacker who has access to your machine can use your locally stored key to
sign things that you wouldn't sign otherwise (hw token or not), they can
steal your passphrase, they can trick you to touch your hw key (even with
user presence configured). But one thing they won't be able to do is
ex-filtrate the key itself and use it without you being able to notice it
somehow (unless they physically steal the key from you, which hopefully you
would also notice). I think this is an important security property that has
value by itself.
It is a given that when I am trusting Ubuntu, I am already implicitly
trusting each of its individual developers and their claims that they know
how to manage their keys but I would be much more comfortable if I could
verify some of those claims cryptographically when possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20250925/43b6a5a5/attachment-0001.html>
More information about the ubuntu-devel
mailing list