From owner-freebsd-pkg@FreeBSD.ORG Tue Jan 14 11:59:28 2014 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 711F8287 for ; Tue, 14 Jan 2014 11:59:28 +0000 (UTC) Received: from shell0.rawbw.com (shell0.rawbw.com [198.144.192.45]) by mx1.freebsd.org (Postfix) with ESMTP id 57A391DD1 for ; Tue, 14 Jan 2014 11:59:28 +0000 (UTC) Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1]) (authenticated bits=0) by shell0.rawbw.com (8.14.4/8.14.4) with ESMTP id s0EBxMRW053302 for ; Tue, 14 Jan 2014 03:59:22 -0800 (PST) (envelope-from yuri@rawbw.com) Message-ID: <52D5269A.5090803@rawbw.com> Date: Tue, 14 Jan 2014 03:59:22 -0800 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-pkg@freebsd.org Subject: Does pkg check signatures? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 11:59:28 -0000 In October announcement has been made that pkg-1.2 will support package signing: https://lists.freebsd.org/pipermail/freebsd-pkg/2013-October/000107.html Now I am running 'pkg install' using pkg-1.2.5 on 9.2, and don't see it opening any files related to keys/signatures in ktrace log. When pkg downloads anything from the central repository (packages, sqlite databases or any other files), all files should be signed with the private key, and pkg(8) should be checking signatures with the public key, and refuse to work in case of failure. This should be the default behavior. Please beware of this attack https://github.com/infobyte/evilgrade It doesn't (yet) have FreeBSD plugin, but it is a matter of few hours to write one. Evilgrade could be made to repackage the package .txz files (or sqlite files) on the fly, and to add arbitrary new files into them. It only takes one malicious DNS server for this. Using such DNS server, attacker can inject malicious code into the victim systems. Various forms of DNS hijacking are quire widespread today. Routers, providers, WiFi hackers and (presumably) government agencies do this for various reasons. Without mandatory package signing by default, pkg(8) presents a security threat to the system. Yuri