[pacman-dev] [arch-general] Package signing

Dan McGee dpmcgee at gmail.com
Fri May 7 14:54:16 CEST 2010


On Fri, May 7, 2010 at 7:44 AM, Florian Pritz <bluewind at server-speed.net> wrote:
> On 06.05.2010 22:48, Denis A. Altoé Falqueto wrote:
>> To check the validity of the repo.db signature, we can do:
>>
>>  1. pacman downloads the repo.db and the signature
>>  2. gpg extracts the original hash from the signature
>>  3. sha1sum recomputes the hash on the downloaded repo.db
>>  4. the recomputed hash and the signed hash are compared
>>
>> If the comparison is ok, the repo.db is intact. Otherwise, panic!!
>
> Why can't you just sign the package, and let the rest of the process be
> the way it is? I don't understand why you have to sign the DB too.
> If the package signature is correct you can safely install it without
> worrying whether the DB is the latest or not.
>
> If a developer gets compromised you abandon his old key (post on the
> ML, news item, ... and tell users to update pacman-keyring maybe you
> could also use a keyserver here where you just publish a revocation
> certificate), resign all clean packages and rebuild the rest.
>
> Or am I missing something?

You're missing something. You have no opened up the possibility of
1. Replay attacks. Serve up an old DB with a package with a now-known
security vuln. Even with signing this could be a problem, so...
2. Forging attacks. Generate your own package DB with packages of your
choosing. As long as they were built by someone trusted (even if they
are years old), nothing can stop this.

The **only** thing a package signature guarantees is that the packager
says "at the time I built this, it was definitely me that did so", and
nothing whatsoever about that package still being good to go.

Guys, I sent a link that explains all this:
http://www.cs.arizona.edu/stork/packagemanagersecurity/

-Dan


More information about the pacman-dev mailing list