Signatures are like backups
I’m indebted to a colleague who many years ago succinctly told me:
Backups don’t matter, only restores matter.
It’s a deceptively simple observation: if your goal is durability, what you truly care about is your ability to restore from a backup. The existence of the backup itself is meaningless – backups are not magic totems of durability. Teams that are serious about durability don’t just take backups; they actually verify that they can restore from them. Knowing this, organizations that take backups, but have never done anything to verify their ability to restore from them suddenly don’t look quite so serious about durability.
This is also the perfect analogy for cryptographic signatures: Signatures don’t matter, only verification matters. If your goal is ensuring the authenticity of data, that assurance doesn’t come from signing the data — it comes from verifying the signature. A signature that no one verifies provides the same guarantee of authenticity as the durability provided by a backup that no one restores from. Zero.
This means that when we design a signature system, our focus must be on verification. Yet, what I see all too often are systems with elaborate mechanisms for signing data, but little to no plan for verification. Nowhere is this more prevalent than in package signing schemes.
The hardest problem in package signing isn’t creating the signature itself; it’s figuring out which key to use to verify that signature. How does a package manager or installer know which key to trust for which package? If you’re truly focused on verification as the core goal, then this question becomes the centerpiece of your design. But if you’re obsessed with the act of producing signatures, this problem often goes unnoticed or, worse, ignored.
You can spot package signing systems that missed the mark by looking for a few telltale signs:
- Documentation that talks extensively about how to produce a signature, but barely mentions how to verify one.
- SDKs for signing get shipped before any usable verification tools are available.
- When verification tools are provided, they’re cumbersome or impractical for actual use.
- No one can clearly articulate the security guarantees the system provides when you verify the signatures it produces.
Increasingly, people are interested in package signing schemes designed for wide-spread use (and therefore have affordances for common real-world situations like “the laptop with my private key on it broke”). However, these systems will not, and can not, provide actual security unless there is as much focus on how to verify a signature as there is in producing a signature. Just like the point of backups is restoring from them, the point of signatures is verifying them.