[pacman-dev] [PATCH] Add per-repo PinnedPubKey option

Daniel Micay danielmicay at gmail.com
Tue Nov 1 19:00:25 UTC 2016

On Tue, 2016-11-01 at 09:44 -0400, Travis Burtrum wrote:
> On 10/31/2016 05:24 PM, Daniel Micay wrote:
> > Perhaps Pacman should just learn to respect HPKP? It's actually
> > supported by wget now, take a look at ~/.wget-hsts. Pacman could
> > have a
> > similar file in the sync database directory. Then it just kicks in
> > after
> > the first connection and as long as Pacman keeps accessing that
> > mirror
> > it will keep updating the date. It could work quite well since we
> > don't
> > support not upgrading for long periods of time.
> > 
> Those are 2 different things though, wget supports HSTS, not HPKP,
> though pinning public keys is part of HPKP.  I plan eventually to
> write
> HPKP support for curl/wget, but that's a pretty ambitious project I
> don't have time for right now.
> However, with as often as pacman pushes the mirrorlist, it could
> include
> just a hard-coded set of hashes for TLS servers.  Or a simple script
> generates and installs them for those who care.

Ah, right. HPKP is just that though: a list of key hashes that are
permitted (if they appear anywhere in the trust chain).

We don't know how mirrors manage their HTTPS keys unless they use HPKP,
so what good is pinning them manually? It'll eventually fail, and you
can't know if it's an attack or they replaced the certificate.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161101/1ad08b42/attachment.asc>

More information about the pacman-dev mailing list