On 19/06/10 03:45, Denis A. AltoƩ Falqueto wrote:
Hi guys. One more of those long boring emails... sorry.
See this situation: let's say we sign packages and the repo.db and the signatures are all dettached, in the same directory as their corresponding files. If some cracker breaks into the machine and deletes the signatures, pacman will not be able to know if the packages and repo.db were signed or not. So, it would be necessary to have some way to indicate that a repository is signed or not and this information must be kept in such a way that an intruder can't change.
The signatures are currently placed in the repo-db. So only the repo db needs downloaded and not individual signatures. If an attacker deletes the repo database and its signature, that is probably the least of our issues... There will be many copies of a recent signed database that we can recover all the signatures from.
Another factor to consider is that the signature verification should be optional for each system. I mean, if a user doesn't care about signatures, he should be able to say "pacman, I can't care less about signatures, please". So, I believe that the best place for such information should be in the pacman.conf file, in each repository section. Maybe one cares about signature in one repository but not for another. And we would spread the attack surface for the entire user base, instead of concentrating it only on the server or mirrors.
I thought that this was already implemented.
For the repository update, it would be like this:
1. for each repository 1.1. download the repo.db 1.2. if it is signed
(and signature checking is enabled for that repo)
1.2.1. download the signature 1.2.2. check the signature 1.3. extract the db to its right place, as today
For the package verification, it would be like this:
1. downloads the package 2. if the signature is enabled for the repository 2.1. if the package is signed (this information must come from repo.db) 2.1.1. download the signature for the package
No need for that step. The signature is in repo.db
2.1.2. checks the signature
For installation of local packages, I am not very worried about signatures. It could be optional, indicated via parameter.
Agreed.
Well, I think that to store the new information, we'll have to break the ABI, isn't it? Sorry to say this just a few days after the new release... Maybe we could have put some new fields to future use.
Breaking API happens every major release. It is nothing to be very concerned about. Allan