[gentoo-dev] GPG Signed packages

[gentoo-dev] GPG Signed packages

[Yi Qiang]

[-- Attachment #1: Type: text/plain, Size: 741 bytes --]

I think this has been brought up many times before, but as most of us
know, many of the debian servers have been compromised recently.  This
has reinstated fear into many people about how "trustful" our distfile
repositories really are.  If indeed one is compromised it would be too
easy for someone to slip a backdoor into a package, especially since I
and a lot of other gentoo users simply ignore md5 checksums.  If a
digest fails we simply ebuild foo.ebuild digest it again.  I think an
option should be made that would allow failing packages if gpg fails. (I
think Redhat does something like this)  This of course is not a fool
proof way, but a big improvement over what is currently done to ensure
package integrity. 

Yi

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] GPG Signed packages

[Lisa Seelye]

[-- Attachment #1: Type: text/plain, Size: 1162 bytes --]

On Fri, 2003-11-21 at 21:09, Yi Qiang wrote:
> I think this has been brought up many times before, but as most of us
> know, many of the debian servers have been compromised recently.  This
> has reinstated fear into many people about how "trustful" our distfile
> repositories really are.  If indeed one is compromised it would be too
> easy for someone to slip a backdoor into a package, especially since I
> and a lot of other gentoo users simply ignore md5 checksums.  If a
> digest fails we simply ebuild foo.ebuild digest it again.  I think an
> option should be made that would allow failing packages if gpg fails. (I
> think Redhat does something like this)  This of course is not a fool
> proof way, but a big improvement over what is currently done to ensure
> package integrity. 

If the key server/signature is compromised you have gained nothing over
the way we have it now.  Adding it is just another way for something to
go wrong.

As for users doing ebuild foo.ebuild digest blindly - that's a good way
to put your box at serious risk.


-- 
Regards,
-Lisa
<Vix ulla tam iniqua pax, quin bello vel aequissimo sit potior>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] GPG Signed packages

[Andrew Gaffney]

Lisa Seelye wrote:
> On Fri, 2003-11-21 at 21:09, Yi Qiang wrote:
> 
>>I think this has been brought up many times before, but as most of us
>>know, many of the debian servers have been compromised recently.  This
>>has reinstated fear into many people about how "trustful" our distfile
>>repositories really are.  If indeed one is compromised it would be too
>>easy for someone to slip a backdoor into a package, especially since I
>>and a lot of other gentoo users simply ignore md5 checksums.  If a
>>digest fails we simply ebuild foo.ebuild digest it again.  I think an
>>option should be made that would allow failing packages if gpg fails. (I
>>think Redhat does something like this)  This of course is not a fool
>>proof way, but a big improvement over what is currently done to ensure
>>package integrity. 
> 
> 
> If the key server/signature is compromised you have gained nothing over
> the way we have it now.  Adding it is just another way for something to
> go wrong.
> 
> As for users doing ebuild foo.ebuild digest blindly - that's a good way
> to put your box at serious risk.

I agree that the current system is good the way it is. If someone is dumb enough to ignore 
a failing MD5 on anything other than MPlayer fonts, and I'm sure most of us have done 
'ebuild digest mplayer-x.xx.ebuild' at one point or another (I have), another check isn't 
going to keep them from opening up their box, anyway.

-- 
Andrew Gaffney


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GPG Signed packages

[Torsten Veller]

* Lisa Seelye <lisa@gentoo.org>:
> On Fri, 2003-11-21 at 21:09, Yi Qiang wrote:
> >                                            how "trustful" our distfile
> > repositories really are.  If indeed one is compromised it would be too
> > easy for someone to slip a backdoor into a package, especially since I
> > and a lot of other gentoo users simply ignore md5 checksums. 

Ignoring of md5 checksums is not even necessary. As a holder of a
distfile mirror i can put a patch in the 'files' dir and generate a
suitable md5. The user will not see that he got fooled/backdoored. And
best: If you wait long enough (after new version) the local distfiles
are overwritten and every evidence in /var/db/pkg is wiped out.

> If the key server/signature is compromised you have gained nothing over
> the way we have it now.  Adding it is just another way for something to
> go wrong.

Yes, but as long as your key is not compromised everyone will see that
the distfiles come from the same source.
 
> As for users doing ebuild foo.ebuild digest blindly - that's a good way
> to put your box at serious risk.

ACK.


So the user should be able to verify that every file didnot get altered.
And this is only possible with signified sources.

-- 
.:   Torsten   |   Don't tell any big lies today.  Small ones can be    :.
.:             |                   just as effective.                   :.

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GPG Signed packages

[James Harlow]

On Fri, Nov 21, 2003 at 11:38:55PM -0500, Lisa Seelye wrote:

> If the key server/signature is compromised you have gained nothing over
> the way we have it now.

This isn't true. GPG *can* be done with trusted keyservers, but as
you point out that's silly. The best way to do it is with the web of
trust. We generate a key for trusted@gentoo.org, who signs, say, 
avenj's, drobbins's, and seemant's keys, and is then removed from the
computer and put onto 3 or so CD's (for redundancy), which are locked
away in a safe. avenj, drobbins and seemant go around signing every
developer's key (this is the hardest part because it shouldn't be
autmated).

The public key for trusted@gentoo.org is then posted to an area of
gentoo.org, made available on the mirrors, posted to keyservers, etc.
and the fingerprint is made widely available (mailinglists, IRC topics,
etc.). The gentoo developers and some of the gentoo powerusers
(hopefully the ones who are most active on the forums, mailinglists, and
IRC), sign the trusted@gentoo.org key.

We then have the following properties:
	* everyone knows what the trusted@gentoo.org public key is.
	* no-one knows, or can possibly find out, what the private key is.
	* the widespread knowledge of the public key cannot easily be
	  changed. 

This allows gentoo to distribute signed (by drobbins, seemant and avenj) 
livecd's and stageballs that contain the public key itself. Users are 
encouraged to verify these signatures and are told what the signatures
not matching means (ie, danger).

Let's examine a few things that can go wrong once this is in place:

A distfiles mirror is cracked: Lots of users download trojan'd packages,
which fail verification against the maintainer's GPG key. The cracker
can't fake a signature - that's one of the properties of a digital
signature. The mirror admin is notified, mirror is cleaned up. No
damage is done - in fact this is probably looks *good* for Gentoo. With
the current system, it would be easily possible to compromise hundred's
of people's machines.

A developer's machine is cracked, and his keys stolen: Fake packages are
uploaded, and possibly hundreds of machines are affected. This is pretty
bad. The developer issues a revocation of his key, which is propogated
in the same way that new keys are, and affected users find out that
their machines have been compromised and which specific packages caused
it. They can then start rebuilding their machines, or doing forensics,
or whatever. Contrast this with the current system, where we have to
hope that they hear the announcement, or come on IRC at the right time,
or whatever, in which case they have to do a fairly painful manual
investigation of all their packages.

(Worst case scenario): Drobbins's machine is cracked and his keys are
stolen. This is actually not much worse than a developer's keys being
stolen. Contrast this with how things are at the moment, which would be
disaster.

> Adding it is just another way for something to go wrong.

This is absolutely true. Public key infrastructure was never designed to
stop things going wrong - this is still a hard problem that rests with
administrators. What it does do is to make tampering much easier to
detect, and when things do go wrong to put them right much more quickly
and correctly than would otherwise be possible.

I hope I've convinced people this is valuable.

-- 
When a true genius appears in the world, you may know him by this sign, that the dunces are all in confederacy against him. - Jonathan Swift

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GPG Signed packages

[Aron Griffis]

[-- Attachment #1: Type: text/plain, Size: 890 bytes --]

James Harlow wrote:	[Sat Nov 22 2003, 08:15:57AM EST]
> I hope I've convinced people this is valuable.

I was convinced already, but it's really nice to see some first steps
listed and some worst case scenarios covered.

md5sums help to prevent problems due to corrupted downloads and/or
corrupted mirrors.  This can include corruption due to malicious
tampering.  However it doesn't provide the avenues of detection and
containment provided by signatures.  An additional benefit of signatures
is that they can only be generated by a developer, whereas md5sums can
be generated by whoever.

Would it be possible to store the signatures in a file separate from the
sources themselves, similar to the digests at the moment?

Aron

-- 
Aron Griffis
Gentoo Linux Developer (alpha / ia64 / ruby / vim)
Key fingerprint = E3B6 8734 C2D6 B5E5 AE76  FB3A 26B1 C5E3 2010 4EB0


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] GPG Signed packages

[Frank Zschockelt]

Es schrieb Aron Griffis (agriffis@gentoo.org):

> Would it be possible to store the signatures in a file separate from the
> sources themselves, similar to the digests at the moment?

Of course.

$ man gpg
[...]
 -b, --detach-sign
                  Make a detached signature.
[...]


Franky

--
gentoo-dev@gentoo.org mailing list