Hello, we are pleased to announce the release of aursec [0], a tool which aims to improve the security of using the AUR. We are writing it as part of our Bachelor's thesis.

It provides a secure hash database in a private Ethereum blockchain that stores hashes for specific package versions. The hash that was submitted from the most different users becomes the consensus and can be queried and compared against.

The hash is formed from the PKGBUILD, install files and VCS sources, thereby adding a layer of verification on top of that provided by the hashes in the PKGBUILD. The threat model [1] we defend against is targeted attacks against specific AUR users, e.g. using a hostile takeover and subsequent modification of an orphan package, that would be reverted and therefore likely not noticed. If the target used aursec, he would see that his package has a different hash from what other users got.

Aursec takes a build folder containing a PKGBUILD and .SRCINFO and does all the work automatically. It calls makepkg --verifysrc in a firejail sandbox to download VCS sources and find out the current version.

Example use:

$aursec ~/aur/foo $find -type d ~/aur | aursec

We would greatly appreciate feedback on the threat model, solution, and the usability of the tool itself.

Cheers, Bennett Piater and Lukas Krismer

[0]: https://aur.archlinux.org/packages/aursec [1]: https://vps1.piater.name/file-sharing/r/_q35eP3Y89#wqDp8+hB9C22GdKrH4nD/HP1C...