[pacman-dev] [PATCH] libmakepkg/integrity: check for invalid tags
Eli Schwartz
eschwartz93 at gmail.com
Tue Jul 4 03:15:35 UTC 2017
As per https://lists.archlinux.org/pipermail/arch-general/2017-July/043876.html
git doesn't check that the tag name matches what an annotated tag object
*thinks* it should be called. This is a bit of a theoretical attack and
some would argue that we should always use commits since upstream can
legitimately change a tag, but nevertheless this can result in a
downgrade attack if the git download transport was manipulated.
So, check the tag blob to make sure the tag actually matches the name we
used for `git checkout`
Signed-off-by: Eli Schwartz <eschwartz93 at gmail.com>
---
scripts/libmakepkg/integrity/verify_signature.sh.in | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in
index 5468f977..3783dbb2 100644
--- a/scripts/libmakepkg/integrity/verify_signature.sh.in
+++ b/scripts/libmakepkg/integrity/verify_signature.sh.in
@@ -187,6 +187,13 @@ verify_git_signature() {
printf " %s git repo ... " "${dir##*/}" >&2
+ tagname="$(git -C "$dir" cat-file tag "$fragval" 2>/dev/null | awk 'FNR == 3 {print $2}')"
+ if [[ $fragtype = tag && -n $tagname && $tagname != $fragval ]]; then
+ printf "%s (%s)" "$(gettext "FAILED")" "$(gettext "forged tag, you have been hacked!")" >&2
+ errors=1
+ return 1
+ fi
+
git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile" 2>&1
if ! grep -qs NEWSIG "$statusfile"; then
printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2
--
2.13.2
More information about the pacman-dev
mailing list