[pacman-dev] More thought about signature implementation

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Sat Jun 19 00:18:33 EDT 2010 

On Sat, Jun 19, 2010 at 12:08 AM, Allan McRae <allan at archlinux.org> wrote:
> On 19/06/10 03:45, Denis A. Altoé Falqueto wrote:
> The signatures are currently placed in the repo-db.   So only the repo db
> needs downloaded and not individual signatures.   If an attacker deletes the
> repo database and its signature, that is probably the least of our issues...
>    There will be many copies of a recent signed database that we can recover
> all the signatures from.

Hmm, I see. And it is a good idea, indeed.

But I've tested two packages (go-openoffice, 130M, and libxfontcache,
8K) to see how this will affect the final size of the database. The
size of the signatures was 543 bytes each. So the size of the package
will not affect the size of the signatures. What could affect is the
key used, given the hash algorithm is the same. My current key has
2024 bits length The table bellow resume the expected increase for
each repository:

http://pastebin.com/ppfe5dxw

Maybe that is acceptable, maybe not. Thinking about it a little, I
would not be very glad of having to download almost the same
signatures (the ones that didn't change) every time I run pacman -Sy.

I believe that just marking if a package is signed inside the
repository is enough. Or maybe I've misinterpreted something too.

>> Another factor to consider is that the signature verification should
>> be optional for each system. I mean, if a user doesn't care about
>> signatures, he should be able to say "pacman, I can't care less about
>> signatures, please". So, I believe that the best place for such
>> information should be in the pacman.conf file, in each repository
>> section. Maybe one cares about signature in one repository but not for
>> another. And we would spread the attack surface for the entire user
>> base, instead of concentrating it only on the server or mirrors.
>
> I thought that this was already implemented.

Good. I am still getting to know the code.

Thanks for taking the time to answer. I'm already testing pacman-key
and it is working fine. I'll test makepkg and repo-db too, but I
believe they are alright. The changes were very little. I've already
implemented a function to verify the signatures, in C, using popen to
call gpg2. The function was based on a test program I made today, so
it is very probably working, at least the basics.

On a side note, I discovered a funny thing about apt. They don't use
gpgme lib too, but instead call gpgv, a program that just verifies
signatures. Looking through its man paage, I learnt that it doesn't
respect the web of trust of the keyring (!!!). So, in the end, apt
just checks to see if the key is in the keyring (all keys are
trustworthy, according to gpgv's manpage) and verifies the file
signature. I just didn't have a good feeling about it.

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
-------------------------------------------

More information about the pacman-dev mailing list