The following bug has been logged on the website:
Bug reference: 17028
Logged by: Michael Altfield
Email address: postgresql_2021@michaelaltfield.net
PostgreSQL version: Unsupported/Unknown
Operating system: All
Description:
Hello,
Can you please list all of the official PostgreSQL PGP keys on some
third-party website other than postgresql.org?
I am having issues figuring out exactly what are the valid keys/fingerprints
of the official PostgreSQL PGP keys used for both [a] signing official
releases and [b] contacting PostgreSQL.
It would be best if, in addition to making the official PostgreSQL PGP keys
clearly listed on postgresql.org (see bug #17027), they would also be listed
on a distinct domain so that end-users could verify the integrity of those
fingerprints out-of-band.
In-case it isn't clear, there's significant security risks with the X.509
security model used by my browser (or curl, etc) when downloading your gpg
key from hashicorp.com. HSTS is great when re-visiting a website, but the
first time I visit hashicorp.com, it wouldn't be too difficult for a
malicious actor to MITM the connection with a cert signed by the extremely
large list of CAs trusted by popular browsers -- which includes, for
example, organizations controlled by State Actors who have a history of
human rights abuses. And, historically, included many CAs that had to be
removed because the CA's private key was stolen or was otherwise signing
certificates that they shouldn't have been. If any cert is signed by any of
those CAs, a MITM actor can send the wrong gpg key to a client, and the
browser will show no indication of wrong-doing.
...not to mention the fact that PostgreSQL's DNS or infrastructure could be
hacked and there's no other domain for a user to cross-validate against.
I recommend listing all of PostgreSQL's official PGP key fingerprints in as
many thrid-party websites as possible, including:
1. An official Keybase.io profile https://keybase.io/postgresql
2. Your official Twitter profile https://twitter.com/postgresql
3. In your git repo, which is mirrored on github.com (eg in a KEYS file
here https://github.com/postgres/postgres)
4. Other official social media profiles
For general best-practices (and how other open-source projects manage their
PGP keys and their distribution), see also:
1.
https://riseup.net/en/security/message-security/openpgp/best-practices
2. https://infra.apache.org/release-signing
3. https://docs.opendev.org/opendev/system-config/latest/signing.html
4. https://wiki.debian.org/Subkeys
Please collect all of the official PostgreSQL PGP keys that are used for
signing releases and email contact and publish their full fingerprints on
some third-party domains.
Thank you,
Michael Altfield
https://www.michaelaltfield.net
PGP Fingerprint: 0465 E42F 7120 6785 E972 644C FE1B 8449 4E64 0D41
Note: If you cannot reach me via email, please check to see if I have
changed my email address by visiting my website at
https://email.michaelaltfield.net