[arch-general] Sébastien Luttringer and Tobias Powalowski

Morten Linderud morten at linderud.pw
Sun Jul 2 22:07:07 UTC 2017

On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote:
> Yes the GPG signature of the tag commit is checked. However you can
> attack the git metadata and set a tag to a different commit. If this
> commit is signed, but at an older stage which is vulnearable, we have an
> issue. Just one example. So we should always also secure the transport
> layer.
> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias

The sign includes the hash. You would essentially have to trick Lennart into replacing the tag to a different commit,
and sign the tag. Creating a vulnerable but verified source for the PKGBUILD. At this point i think we have bigger
problems then whatever the PKGBUILD is doing...

Morten Linderud

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170703/7f3ab60a/attachment.asc>

More information about the arch-general mailing list