[arch-general] Is it secure to just sign repository databases?
Levente Polyak
anthraxx at archlinux.org
Sun Jun 16 17:12:42 UTC 2019
On June 16, 2019 5:57:34 PM GMT+02:00, Eli Schwartz via arch-general <arch-general at archlinux.org> wrote:
>That being said, if you have signed the repository db then as you
>mentioned the sha256 checksums for the package file are securely
>signed,
>so you are guaranteed that use of pacman -S pkgname will securely
>verify
>that it is installing the package the repo-add user expected to provide
>when running repo-add.
>
>What is your threat model? These things will not be protected against:
>
>- people installing the package file directly, as such:
> pacman -U https://example.com/foopkg-1-1-x86_64.pkg.tar.xz
>- An attacker with local filesystem access on the signing/hosting
>server
> can retroactively replace *all* packages built at any date, and trick
> you into signing a new repo DB referencing them.
>- In shared packaging situations, like when a team of dozens of people
> all upload packages, you want to be able to verify who signed each
> package, as opposed to only verifying that the last person to update
> the repository asserted that all other packages are good and backed by
> his/her good name -- this does not concern you.
An important side note: This will only really help
if users of the repo have set the repository SigLevel
to Required (which is not the default).
When using the default of Optional a MitM
attacker can just drop signatures for that database,
which obviously is much much much easier to
achieve for non https mirrors.
Cheers,
Levente
More information about the arch-general
mailing list