[pacman-dev] pacman signing security vulnerabilities

Dan McGee dpmcgee at gmail.com
Tue Feb 15 08:27:36 EST 2011

On Tue, Feb 15, 2011 at 7:18 AM, Michael Seiwald <michael at mseiwald.at> wrote:
> On 02/08/2011 11:02 PM, Dan McGee wrote:
>>> (4) Signing keys
>>> Currently when adding a signed package to the repository with repo-add,
>>> the signature of the package itself (generated with the package
>>> maintainers’ key) is included into the sync db (as %PGPSIG% field in the
>>> desc file of the package). Afterwards, the updated sync db is also
>>> signed. Firstly, we are not sure how this should be handled in practice.
>>> Will the sync db be signed with a central repository key? Or with one of
>>> the developers’ keys? Either way, the package signature in the sync db
>>> (%PGPSIG%) adds no additional security value, because when pacman
>>> verifies both the package signature and the signature of the sync db, it
>>> uses one single keyring (/etc/pacman.d/gnupg/pupring.gpg) for all the
>>> signatures.
>> But not one key, and how does one verify a package they got that was
>> not in a sync DB? Or in a sync DB managed by someone they may trust
>> less, but packaged by someone they may trust more?
> A package not in a sync DB cannot be verified - regardless of keeping
> the package signature in the sync db. If the sync DB is signed, the hash
> of the package file is sufficient to verify its integrity. The only way
> allowing for the verification of packages which are not part of the sync
> DB I can think of would be to somehow make the packages contain the
> signatures (like RPM packages).

I am not following this point whatsoever.

RPM package containing signature == zip of signature + package
contents in another zip. There is no added security benefit of this
that I can possibly see over package + detached signature- the only
thing they are doing is tying it up with some ugly rope and shipping
it to you as one file.

And the hash of the package file is not at all enough to verify
integrity! For one, md5 is not secure, and we've never pretended this
is supposed to be anything more than a quick download check. Second,
you have continued to run around the issue I stated where not all
packages are in a sync repository- drop your "If" clause and your
whole point falls down.

Your other point, "A package not in a sync DB cannot be verified", is
also unclear- can you please elaborate?


More information about the pacman-dev mailing list