From owner-freebsd-pkg@FreeBSD.ORG Tue Jan 14 13:48:28 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 00809D7C for ; Tue, 14 Jan 2014 13:48:27 +0000 (UTC) Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 738101642 for ; Tue, 14 Jan 2014 13:48:27 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id hq4so3711588wib.3 for ; Tue, 14 Jan 2014 05:48:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=+F8FWT96puRq4soAptGveUAxXHTIVgj/lZlfb3FPJAk=; b=ROvhBIUx8xZPssb8FJ6Fk+4vgrvtNH5vVdJBwWXM9EeSo18OpyCxRNS5CdasB1X7i7 JoBkmBMvrZ+hqJ5T5/5X/j8jXsFgqrL0UvXEtNY2w6VdCsEBOpsrh9wg/q0UWbGVeUAp yXaFThwE9dJZz219rahkOdd6PZlMM3tzyIEourk47ooqwkLkZRMS4q/+1AEt1SbcWQST 02GvKTErKHZRJxUa/3h6yKJZ/AK46ZBosECUgqzP/hITVNsOfClW26WRPDVkS5KniUjh Jc1pPp5gVF6LQ8m+RcCVGzcuS/2bE/2s6ZxiT3fibEKIPQdoXpkJdQK3xbwhB4Ylcten QAUQ== X-Received: by 10.194.109.68 with SMTP id hq4mr27935868wjb.12.1389707303592; Tue, 14 Jan 2014 05:48:23 -0800 (PST) Received: from ithaqua.etoilebsd.net (ithaqua.etoilebsd.net. [37.59.37.188]) by mx.google.com with ESMTPSA id fp9sm3468541wib.8.2014.01.14.05.48.22 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 14 Jan 2014 05:48:22 -0800 (PST) Sender: Baptiste Daroussin Date: Tue, 14 Jan 2014 14:48:20 +0100 From: Baptiste Daroussin To: Yuri Subject: Re: Does pkg check signatures? Message-ID: <20140114134820.GC77567@ithaqua.etoilebsd.net> References: <52D5269A.5090803@rawbw.com> <52D52926.5090104@infracaninophile.co.uk> <52D530CE.4090908@rawbw.com> <20140114125830.GB77567@ithaqua.etoilebsd.net> <52D53B5E.9020705@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="32u276st3Jlj2kUU" Content-Disposition: inline In-Reply-To: <52D53B5E.9020705@rawbw.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pkg@FreeBSD.org X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 13:48:28 -0000 --32u276st3Jlj2kUU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 14, 2014 at 05:27:58AM -0800, Yuri wrote: > On 01/14/2014 04:58, Baptiste Daroussin wrote: > > What is signed is the catalog which contains the hash of all the availa= ble > > packages. >=20 > How is this fingerprint on the local system updated when the remote=20 > catalog file changes? >=20 > > > > So the signature is only checked during pkg update in case the database= is being > > updated not during package installation because it the not needed, the = fetched > > packages are tested agains their hash. >=20 > I think this process is very weak. > Normal procedure goes like this: > * During system installation, public key of the distributor is installed= =20 > on the local system. One key per repository. Should be verified by admin= =20 > if this is a concern. This is what we have > * Every downloaded file should be downloaded together with its=20 > signature. Signature is computed on the server using the private key of= =20 > the distributor. Why if you have a trusted list of hashes of what you will download? > * Signature of every single downloaded file should be checked. No=20 > exceptions. NSS https://developer.mozilla.org/en-US/docs/NSS has all=20 > such procedures. Why if you have a trusted list of hashes of what you will download? > Current procedure is flawed for the following reasons: > 1. No clear automated process of fingerprint update is defined. (In=20 > fact, no secure automated way of its update is possible) yes there is, distributed via freebsd-update. > 2. Security is opt-in. And it should be opt-out. (There is a big differen= ce) it is opt-out on FreeBSD 10+ as the default configuration is with signature check. >=20 > I don't think this fingerprinting scheme can survive a security review. > pkgng without proper package signing can't be recommended to users=20 > because it is a clear security threat. secteam doesn't seem to agree with you, talk to them. regards, Bapt --32u276st3Jlj2kUU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (FreeBSD) iEYEARECAAYFAlLVQCQACgkQ8kTtMUmk6EzkngCeL0+m/URFfIJWowTUNHCnc/lE RlgAoJqUvX5wtzWat9hMlhLuQzPXf10T =uKrg -----END PGP SIGNATURE----- --32u276st3Jlj2kUU--