From owner-freebsd-pkg@FreeBSD.ORG Tue Jan 14 13:27:59 2014 Return-Path: Delivered-To: freebsd-pkg@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 82B86807; Tue, 14 Jan 2014 13:27:59 +0000 (UTC) Received: from shell0.rawbw.com (shell0.rawbw.com [198.144.192.45]) by mx1.freebsd.org (Postfix) with ESMTP id 6CEF514C5; Tue, 14 Jan 2014 13:27:59 +0000 (UTC) Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1]) (authenticated bits=0) by shell0.rawbw.com (8.14.4/8.14.4) with ESMTP id s0EDRwr9068515; Tue, 14 Jan 2014 05:27:58 -0800 (PST) (envelope-from yuri@rawbw.com) Message-ID: <52D53B5E.9020705@rawbw.com> Date: Tue, 14 Jan 2014 05:27:58 -0800 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Baptiste Daroussin Subject: Re: Does pkg check signatures? References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> <52D530CE.4090908@rawbw.com> <20140114125830.GB77567@ithaqua.etoilebsd.net> In-Reply-To: <20140114125830.GB77567@ithaqua.etoilebsd.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pkg@FreeBSD.org X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 13:27:59 -0000 On 01/14/2014 04:58, Baptiste Daroussin wrote: > What is signed is the catalog which contains the hash of all the available > packages. How is this fingerprint on the local system updated when the remote catalog file changes? > > So the signature is only checked during pkg update in case the database is being > updated not during package installation because it the not needed, the fetched > packages are tested agains their hash. I think this process is very weak. Normal procedure goes like this: * During system installation, public key of the distributor is installed on the local system. One key per repository. Should be verified by admin if this is a concern. * Every downloaded file should be downloaded together with its signature. Signature is computed on the server using the private key of the distributor. * Signature of every single downloaded file should be checked. No exceptions. NSS https://developer.mozilla.org/en-US/docs/NSS has all such procedures. Current procedure is flawed for the following reasons: 1. No clear automated process of fingerprint update is defined. (In fact, no secure automated way of its update is possible) 2. Security is opt-in. And it should be opt-out. (There is a big difference) I don't think this fingerprinting scheme can survive a security review. pkgng without proper package signing can't be recommended to users because it is a clear security threat. Yuri