[pacman-dev] More thought about signature implementation

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Fri Jun 18 13:45:31 EDT 2010


Hi guys. One more of those long boring emails... sorry.

See this situation: let's say we sign packages and the repo.db and the
signatures are all dettached, in the same directory as their
corresponding files. If some cracker breaks into the machine and
deletes the signatures, pacman will not be able to know if the
packages and repo.db were signed or not. So, it would be necessary to
have some way to indicate that a repository is signed or not and this
information must be kept in such a way that an intruder can't change.

Another factor to consider is that the signature verification should
be optional for each system. I mean, if a user doesn't care about
signatures, he should be able to say "pacman, I can't care less about
signatures, please". So, I believe that the best place for such
information should be in the pacman.conf file, in each repository
section. Maybe one cares about signature in one repository but not for
another. And we would spread the attack surface for the entire user
base, instead of concentrating it only on the server or mirrors.

For the repository update, it would be like this:

1. for each repository
  1.1. download the repo.db
  1.2. if it is signed
    1.2.1. download the signature
    1.2.2. check the signature
  1.3. extract the db to its right place, as today

For the package verification, it would be like this:

1. downloads the package
2. if the signature is enabled for the repository
  2.1. if the package is signed (this information must come from repo.db)
    2.1.1. download the signature for the package
    2.1.2. checks the signature

For installation of local packages, I am not very worried about
signatures. It could be optional, indicated via parameter.

Well, I think that to store the new information, we'll have to break
the ABI, isn't it? Sorry to say this just a few days after the new
release... Maybe we could have put some new fields to future use.

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
-------------------------------------------


More information about the pacman-dev mailing list