Does pkg check signatures?
Baptiste Daroussin
bapt at FreeBSD.org
Tue Jan 14 13:48:28 UTC 2014
On Tue, Jan 14, 2014 at 05:27:58AM -0800, Yuri wrote:
> On 01/14/2014 04:58, Baptiste Daroussin wrote:
> > What is signed is the catalog which contains the hash of all the available
> > packages.
>
> How is this fingerprint on the local system updated when the remote
> catalog file changes?
>
> >
> > So the signature is only checked during pkg update in case the database is being
> > updated not during package installation because it the not needed, the fetched
> > packages are tested agains their hash.
>
> I think this process is very weak.
> Normal procedure goes like this:
> * During system installation, public key of the distributor is installed
> on the local system. One key per repository. Should be verified by admin
> if this is a concern.
This is what we have
> * Every downloaded file should be downloaded together with its
> signature. Signature is computed on the server using the private key of
> the distributor.
Why if you have a trusted list of hashes of what you will download?
> * Signature of every single downloaded file should be checked. No
> exceptions. NSS https://developer.mozilla.org/en-US/docs/NSS has all
> such procedures.
Why if you have a trusted list of hashes of what you will download?
> Current procedure is flawed for the following reasons:
> 1. No clear automated process of fingerprint update is defined. (In
> fact, no secure automated way of its update is possible)
yes there is, distributed via freebsd-update.
> 2. Security is opt-in. And it should be opt-out. (There is a big difference)
it is opt-out on FreeBSD 10+ as the default configuration is with signature
check.
>
> I don't think this fingerprinting scheme can survive a security review.
> pkgng without proper package signing can't be recommended to users
> because it is a clear security threat.
secteam doesn't seem to agree with you, talk to them.
regards,
Bapt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20140114/4f4866d1/attachment.sig>
More information about the freebsd-pkg
mailing list