Date: Tue, 14 Jan 2014 14:48:20 +0100 From: Baptiste Daroussin <bapt@FreeBSD.org> To: Yuri <yuri@rawbw.com> Cc: freebsd-pkg@FreeBSD.org Subject: Re: Does pkg check signatures? Message-ID: <20140114134820.GC77567@ithaqua.etoilebsd.net> In-Reply-To: <52D53B5E.9020705@rawbw.com> References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> <52D530CE.4090908@rawbw.com> <20140114125830.GB77567@ithaqua.etoilebsd.net> <52D53B5E.9020705@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--32u276st3Jlj2kUU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 14, 2014 at 05:27:58AM -0800, Yuri wrote: > On 01/14/2014 04:58, Baptiste Daroussin wrote: > > What is signed is the catalog which contains the hash of all the availa= ble > > packages. >=20 > How is this fingerprint on the local system updated when the remote=20 > catalog file changes? >=20 > > > > So the signature is only checked during pkg update in case the database= is being > > updated not during package installation because it the not needed, the = fetched > > packages are tested agains their hash. >=20 > I think this process is very weak. > Normal procedure goes like this: > * During system installation, public key of the distributor is installed= =20 > on the local system. One key per repository. Should be verified by admin= =20 > if this is a concern. This is what we have > * Every downloaded file should be downloaded together with its=20 > signature. Signature is computed on the server using the private key of= =20 > the distributor. Why if you have a trusted list of hashes of what you will download? > * Signature of every single downloaded file should be checked. No=20 > exceptions. NSS https://developer.mozilla.org/en-US/docs/NSS has all=20 > such procedures. Why if you have a trusted list of hashes of what you will download? > Current procedure is flawed for the following reasons: > 1. No clear automated process of fingerprint update is defined. (In=20 > fact, no secure automated way of its update is possible) yes there is, distributed via freebsd-update. > 2. Security is opt-in. And it should be opt-out. (There is a big differen= ce) it is opt-out on FreeBSD 10+ as the default configuration is with signature check. >=20 > I don't think this fingerprinting scheme can survive a security review. > pkgng without proper package signing can't be recommended to users=20 > because it is a clear security threat. secteam doesn't seem to agree with you, talk to them. regards, Bapt --32u276st3Jlj2kUU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (FreeBSD) iEYEARECAAYFAlLVQCQACgkQ8kTtMUmk6EzkngCeL0+m/URFfIJWowTUNHCnc/lE RlgAoJqUvX5wtzWat9hMlhLuQzPXf10T =uKrg -----END PGP SIGNATURE----- --32u276st3Jlj2kUU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140114134820.GC77567>