[pacman-dev] Why need keyrings to be signed?
Hi all, while working on our keyring package again I am still stuck at this question. pacman-key --populate checks if the files to import are signed. The man page tell us: This prevents a potentially malicious repository adding keys to the pacman keyring without the users knowledge. But I don't get the reasoning here at all. If I install a malicious package, it's install function is run as root and can do anything; including bypassing the --populate function and call gpg directly. If I miss anything here please let me know as I couldn't find out. Removing this check would safe me from reinventing the wheel and I don't have to create a script which does exactly what --populate does but without the check. This check prevents us from a simple bootstrap; and we gain no improved security if we let the user do it manually. (think about what a malicious package would do) In details this means removing the call to verify_keyring_input in pacman-key and then remove the now unused functions verify_keyring_input and validate_with_gpg. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
On 04/03/12 01:25, Pierre Schmitz wrote:
Hi all,
while working on our keyring package again I am still stuck at this question. pacman-key --populate checks if the files to import are signed. The man page tell us:
This prevents a potentially malicious repository adding keys to the pacman keyring without the users knowledge.
But I don't get the reasoning here at all. If I install a malicious package, it's install function is run as root and can do anything; including bypassing the --populate function and call gpg directly. If I miss anything here please let me know as I couldn't find out.
Removing this check would safe me from reinventing the wheel and I don't have to create a script which does exactly what --populate does but without the check. This check prevents us from a simple bootstrap; and we gain no improved security if we let the user do it manually. (think about what a malicious package would do)
In details this means removing the call to verify_keyring_input in pacman-key and then remove the now unused functions verify_keyring_input and validate_with_gpg.
I can not think of a situation where you could edit the keyring files but not access the pacman keyring directly... Unless someone else can think of a good reason to keep this, I would agree to removing that requirement. Allan
Verifing the keyring at this point is useless as a malicious package is already installed and as such has several options to bypass this check anyway. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- doc/pacman-key.8.txt | 5 ----- scripts/pacman-key.sh.in | 39 --------------------------------------- 2 files changed, 44 deletions(-) diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 1582a3c..3631ec8 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -129,11 +129,6 @@ any signing", so should be used with prudence. A key being marked as revoked will be disabled in the keyring and no longer treated as valid, so this always takes priority over it's trusted state in any other keyring. -All files are required to be signed (detached) by a trusted PGP key that the -user must manually import to the pacman keyring. This prevents a potentially -malicious repository adding keys to the pacman keyring without the users -knowledge. - See Also -------- diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index c393370..482b56d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -214,43 +214,6 @@ check_keyring() { fi } -validate_with_gpg() { - msg2 "$(gettext "Verifying %s...")" "$1" - if [[ ! -f "$1.sig" ]]; then - error "$(gettext "File %s is unsigned, cannot continue.")" "$1" - return 1 - elif ! "${GPG_PACMAN[@]}" --verify "$1.sig"; then - error "$(gettext "The signature of file %s is not valid.")" "$1" - return 1 - fi - return 0 -} - -verify_keyring_input() { - local ret=0; - local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings' - - # Verify signatures of keyring files and trusted/revoked files if they exist - msg "$(gettext "Verifying keyring file signatures...")" - local keyring keyfile - for keyring in "${KEYRINGIDS[@]}"; do - keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg" - validate_with_gpg "${keyfile}" || ret=1 - - keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted" - if [[ -f "${keyfile}" ]]; then - validate_with_gpg "${keyfile}" || ret=1 - fi - - keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked" - if [[ -f "${keyfile}" ]]; then - validate_with_gpg "${keyfile}" || ret=1 - fi - done - - return $ret -} - populate_keyring() { local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings' @@ -281,8 +244,6 @@ populate_keyring() { exit 1 fi - verify_keyring_input || exit 1 - # Variable used for iterating on keyrings local keys key_id -- 1.7.9.2
participants (2)
-
Allan McRae
-
Pierre Schmitz