[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)
Dan McGee
dpmcgee at gmail.com
Wed Jun 16 19:18:58 EDT 2010
On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou <jimis at gmx.net> wrote:
> Hey, what do you think about this way of verifying packages?
>
> On Tue, 15 Jun 2010, Dimitrios Apostolou wrote:
>>
>> On another note, an easy but maybe a bit costly way to avoid any MITM
>> tampering to packages, is serve *.md5 files for every package through a
>> trusted HTTPS host. Then everyone can query that single host and check if
>> the package he got from a mirror is safe.
>>
>> Costs: A little more traffic by serving hash files to everyone plus the
>> cost of the certificate from a CA. Is the income Arch receives from ads and
>> schwag enough for such a simple solution?
>
> Let me explain it a bit more:
>
> Pacman downloads package-1.tar.xz from a random mirror.
> It then fetches:
>
> https://sums.archlinux.org/exactly/the/same/path/package-1.tar.xz.sha1
>
> Pacman should then know whether the connection to sums.archlinux.org was
> tampered, since the certificate is signed from a CA in ca-bundle.crt. So if
> the two hashes match, the package is safe (as safe as the archlinux
> server...)
>
> That way any type of file can be verified (packages, db files, PKGBUILDs,
> patches etc) provided that its cryptographic hash is in that HTTPS host.
> Obviously to be able to verify db files, they need a timestamp appended to
> them, e.g. core-YYYYMMDDHHMM.tar.gz. That necessary change is perhaps the
> most difficult part of this proposal.
>
> If too many small files is a problem, maybe the whole db.tar.gz can be
> served (at the cost of a higher bandwidth utilisation).
>
>
> This solution doesn't use package signing nor a web-of-trust. It simply
> piggybacks on the tried and true HTTPS mechanism. Primary advantage is the
> lack of complexity which makes it easy to understand and implement.
>
>
> What do you think?
I think that someone could blow this apart. I break in, touch a
package of my choosing without telling anyone, and update the checksum
file. Bam- everyone's systems are fucked and the developers never knew
because you didn't do anything both cryptographically secure and
verifiable, you just added some indirection to the process.
-Dan
More information about the arch-general
mailing list