docs/quorum-key-management/src/verifying-signatures.md

# Verifying Signatures

When building and downloading software it is essential to verify signatures to ensure its integrity. 

Verification of software depends on two primary aspects:

* Ensuring that the hash of a binary matches some point of reference, for example the same binary previously built by a trusted team member, or a hash hosted alongside the software in the download location.

* Ensuring that signatures alongside hashes are from trusted asymmetric keys (e.g PGP keys)

In order to achieve this, one must establish that specific keys are "well known" and can be trusted - that is, that they belong to a given individual. To achieve this, the best method is to exchange keys in person, but a combination of the following methods gives even higher confidence thresholds:

* Verifying the key in person

* Finding a reference to a public key on the individual's personal website

* Finding a reference to a public key on the individual's social media platforms

* Finding a keyoxide profile for a given public key

* Finding a reference to a public key on a company website

* Looking up popular key servers to see if a given individual is associated with it

Each point of reference allows us to build confidence that the key is indeed owned by an individual.

One other consideration is how the key is protected. If possible, find out how the individual manages their key. If the key is stored on a local machine, the trust level for that key should be low. If the individual always manages their keys in airgapped environments, and on HSMs, then a higher level of trust can be ascribed - although ultimately in most cases it's impossible to verify that the individual followed a given policy around key management.

One favorable method for ensuring that a key never got exposed is using built in cryptographic attestation that a key never left a TPM, such as the one offered by YubiKey. While this type of key setup has the downside of not being able to back it up, one could use a master key to sign such a key, authorizing it for use, while giving the flexibility to rotate if the hardware token is damaged or lost.
add new docs and refactor 2024-11-28 23:30:19 +00:00			`# Verifying Signatures`

			`When building and downloading software it is essential to verify signatures to ensure its integrity.`

			`Verification of software depends on two primary aspects:`

			`* Ensuring that the hash of a binary matches some point of reference, for example the same binary previously built by a trusted team member, or a hash hosted alongside the software in the download location.`

			`* Ensuring that signatures alongside hashes are from trusted asymmetric keys (e.g PGP keys)`

			`In order to achieve this, one must establish that specific keys are "well known" and can be trusted - that is, that they belong to a given individual. To achieve this, the best method is to exchange keys in person, but a combination of the following methods gives even higher confidence thresholds:`

			`* Verifying the key in person`

			`* Finding a reference to a public key on the individual's personal website`

			`* Finding a reference to a public key on the individual's social media platforms`

			`* Finding a keyoxide profile for a given public key`

			`* Finding a reference to a public key on a company website`

			`* Looking up popular key servers to see if a given individual is associated with it`

			`Each point of reference allows us to build confidence that the key is indeed owned by an individual.`

			`One other consideration is how the key is protected. If possible, find out how the individual manages their key. If the key is stored on a local machine, the trust level for that key should be low. If the individual always manages their keys in airgapped environments, and on HSMs, then a higher level of trust can be ascribed - although ultimately in most cases it's impossible to verify that the individual followed a given policy around key management.`

			`One favorable method for ensuring that a key never got exposed is using built in cryptographic attestation that a key never left a TPM, such as the one offered by YubiKey. While this type of key setup has the downside of not being able to back it up, one could use a master key to sign such a key, authorizing it for use, while giving the flexibility to rotate if the hardware token is damaged or lost.`