Does pkg check signatures?

Baptiste Daroussin bapt at FreeBSD.org
Tue Jan 14 13:48:28 UTC 2014 

On Tue, Jan 14, 2014 at 05:27:58AM -0800, Yuri wrote:
> On 01/14/2014 04:58, Baptiste Daroussin wrote:
> > What is signed is the catalog which contains the hash of all the available
> > packages.
> 
> How is this fingerprint on the local system updated when the remote 
> catalog file changes?
> 
> >
> > So the signature is only checked during pkg update in case the database is being
> > updated not during package installation because it the not needed, the fetched
> > packages are tested agains their hash.
> 
> I think this process is very weak.
> Normal procedure goes like this:
> * During system installation, public key of the distributor is installed 
> on the local system. One key per repository. Should be verified by admin 
> if this is a concern.
This is what we have

> * Every downloaded file should be downloaded together with its 
> signature. Signature is computed on the server using the private key of 
> the distributor.

Why if you have a trusted list of hashes of what you will download?

> * Signature of every single downloaded file should be checked. No 
> exceptions. NSS https://developer.mozilla.org/en-US/docs/NSS has all 
> such procedures.

Why if you have a trusted list of hashes of what you will download?

> Current procedure is flawed for the following reasons:
> 1. No clear automated process of fingerprint update is defined. (In 
> fact, no secure automated way of its update is possible)

yes there is, distributed via freebsd-update.

> 2. Security is opt-in. And it should be opt-out. (There is a big difference)

it is opt-out on FreeBSD 10+ as the default configuration is with signature
check.

> 
> I don't think this fingerprinting scheme can survive a security review.
> pkgng without proper package signing can't be recommended to users 
> because it is a clear security threat.

secteam doesn't seem to agree with you, talk to them.

regards,
Bapt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20140114/4f4866d1/attachment.sig>

More information about the freebsd-pkg mailing list