Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Jan 2014 03:59:22 -0800
From:      Yuri <yuri@rawbw.com>
To:        freebsd-pkg@freebsd.org
Subject:   Does pkg check signatures?
Message-ID:  <52D5269A.5090803@rawbw.com>

next in thread | raw e-mail | index | archive | help
In October announcement has been made that pkg-1.2 will support package 
signing: 
https://lists.freebsd.org/pipermail/freebsd-pkg/2013-October/000107.html
Now I am running 'pkg install' using pkg-1.2.5 on 9.2, and don't see it 
opening any files related to keys/signatures in ktrace log.

When pkg downloads anything from the central repository (packages, 
sqlite databases or any other files), all files should be signed with 
the private key, and pkg(8) should be checking signatures with the 
public key, and refuse to work in case of failure. This should be the 
default behavior.

Please beware of this attack https://github.com/infobyte/evilgrade It 
doesn't (yet) have FreeBSD plugin, but it is a matter of few hours to 
write one. Evilgrade could be made to repackage the package .txz files 
(or sqlite files) on the fly, and to add arbitrary new files into them. 
It only takes one malicious DNS server for this. Using such DNS server, 
attacker can inject malicious code into the victim systems. Various 
forms of DNS hijacking are quire widespread today. Routers, providers, 
WiFi hackers and (presumably) government agencies do this for various 
reasons.

Without mandatory package signing by default, pkg(8) presents a security 
threat to the system.

Yuri



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52D5269A.5090803>