Does pkg check signatures?
Yuri
yuri at rawbw.com
Tue Jan 14 13:27:59 UTC 2014
On 01/14/2014 04:58, Baptiste Daroussin wrote:
> What is signed is the catalog which contains the hash of all the available
> packages.
How is this fingerprint on the local system updated when the remote
catalog file changes?
>
> So the signature is only checked during pkg update in case the database is being
> updated not during package installation because it the not needed, the fetched
> packages are tested agains their hash.
I think this process is very weak.
Normal procedure goes like this:
* During system installation, public key of the distributor is installed
on the local system. One key per repository. Should be verified by admin
if this is a concern.
* Every downloaded file should be downloaded together with its
signature. Signature is computed on the server using the private key of
the distributor.
* Signature of every single downloaded file should be checked. No
exceptions. NSS https://developer.mozilla.org/en-US/docs/NSS has all
such procedures.
Current procedure is flawed for the following reasons:
1. No clear automated process of fingerprint update is defined. (In
fact, no secure automated way of its update is possible)
2. Security is opt-in. And it should be opt-out. (There is a big difference)
I don't think this fingerprinting scheme can survive a security review.
pkgng without proper package signing can't be recommended to users
because it is a clear security threat.
Yuri
More information about the freebsd-pkg
mailing list