Does pkg check signatures?

Yuri yuri at rawbw.com
Tue Jan 14 13:27:59 UTC 2014


On 01/14/2014 04:58, Baptiste Daroussin wrote:
> What is signed is the catalog which contains the hash of all the available
> packages.

How is this fingerprint on the local system updated when the remote 
catalog file changes?

>
> So the signature is only checked during pkg update in case the database is being
> updated not during package installation because it the not needed, the fetched
> packages are tested agains their hash.

I think this process is very weak.
Normal procedure goes like this:
* During system installation, public key of the distributor is installed 
on the local system. One key per repository. Should be verified by admin 
if this is a concern.
* Every downloaded file should be downloaded together with its 
signature. Signature is computed on the server using the private key of 
the distributor.
* Signature of every single downloaded file should be checked. No 
exceptions. NSS https://developer.mozilla.org/en-US/docs/NSS has all 
such procedures.

Current procedure is flawed for the following reasons:
1. No clear automated process of fingerprint update is defined. (In 
fact, no secure automated way of its update is possible)
2. Security is opt-in. And it should be opt-out. (There is a big difference)

I don't think this fingerprinting scheme can survive a security review.
pkgng without proper package signing can't be recommended to users 
because it is a clear security threat.

Yuri


More information about the freebsd-pkg mailing list