[pacman-dev] Signing the database again

Remi Gacogne listes+pacman-dev at valombre.net
Wed Nov 4 21:07:29 UTC 2015 

Hi,

I have been thinking about the DB signing feature recently, and I have
dug up old emails regarding this topic. If I understand correctly:

- we would like database signing to prevent an attacker from messing
with the information contained in the database, being at rest on a
mirror or in flight. Packages being signed protects us from most issues,
but it is still possible for example to prevent a specific  package from
being upgraded by altering its entry in the database ;
- requiring TU and devs to sign the database when publishing a package
is not easy and ;
- we don't want to have a package-signing key online if we can prevent
it, so ideally the key used to sign the database should not be able to
sign packages ;
- in addition to that, it would be nice if package-signing keys would
not be able to sign the database.

I believe a simple solution would be to use a separate WoT for database
signing, distinct from the one use for package-signing.
This would require the generation of new, separate master keys for
verifying db-signing only keys. The master keys would be kept offline
while a db-signing key would be kept online on an official Arch server
and used by repo-add to sign the database upon modifications.

As I am not a TU nor a developer, I am not familiar with the exact
process used to publish packages. I have discussed this a bit with
Levente, but this is clearly the fuzziest part for me, so please let me
know if this is non-sense. This may require the use of a set-uid or
set-gid binary so that different users are allowed to use repo-add
without giving them access to the db-signing key.

Setting up database-signing this way, a compromised mirror couldn't
alter the database or the packages without being detected. If the
db-signing key were to be compromised, this would not be enough to be
able to alter the content of packages, and the key could be revoked and
replaced quite easily, so we would not be in a worse position than
without db signing.

Most of the code required for this to work is already in pacman. We
would still need to patch pacman to be able to use a separate gnupg
directory for the database WoT, distinct from the packages WoT. I have
attached a PoC patch to illustrate this idea, but it clearly needs more
work.

Any thoughts?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-a-separate-GnuPG-database-for-database-signing.patch
Type: text/x-patch
Size: 18016 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20151104/a571b66a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20151104/a571b66a/attachment-0001.asc>

More information about the pacman-dev mailing list