On Fri, May 7, 2010 at 7:44 AM, Florian Pritz <bluewind@server-speed.net> wrote:
On 06.05.2010 22:48, Denis A. Altoé Falqueto wrote:
To check the validity of the repo.db signature, we can do:
1. pacman downloads the repo.db and the signature 2. gpg extracts the original hash from the signature 3. sha1sum recomputes the hash on the downloaded repo.db 4. the recomputed hash and the signed hash are compared
If the comparison is ok, the repo.db is intact. Otherwise, panic!!
Why can't you just sign the package, and let the rest of the process be the way it is? I don't understand why you have to sign the DB too. If the package signature is correct you can safely install it without worrying whether the DB is the latest or not.
If a developer gets compromised you abandon his old key (post on the ML, news item, ... and tell users to update pacman-keyring maybe you could also use a keyserver here where you just publish a revocation certificate), resign all clean packages and rebuild the rest.
Or am I missing something?
You're missing something. You have no opened up the possibility of 1. Replay attacks. Serve up an old DB with a package with a now-known security vuln. Even with signing this could be a problem, so... 2. Forging attacks. Generate your own package DB with packages of your choosing. As long as they were built by someone trusted (even if they are years old), nothing can stop this. The **only** thing a package signature guarantees is that the packager says "at the time I built this, it was definitely me that did so", and nothing whatsoever about that package still being good to go. Guys, I sent a link that explains all this: http://www.cs.arizona.edu/stork/packagemanagersecurity/ -Dan