Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#45657 - Official repositories should be signed.

Attached to Project: Arch Linux
Opened by Gleb Fotengauer-Malinovskiy (glebfm) - Wednesday, 15 July 2015, 19:00 GMT
Task Type Feature Request
Category Security
Status Unconfirmed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 2
Private No

Details

Description:

Package databases of official repositories should be signed.
It's certainly a security issue, since mirror owner can hold any
package or force user to install any old package or remove anything.

Also, there is no point to check every package's signature if we can
trust both package database and hash-sum.
This task depends upon

Comment by Doug Newgard (Scimmia) - Thursday, 16 July 2015, 02:41 GMT
With all packages being signed, the security risk here is little to none.
Comment by Gleb Fotengauer-Malinovskiy (glebfm) - Thursday, 16 July 2015, 07:30 GMT
Signature doesn't make package trusted if it is outdated.
With signed index, you can be sure all packages are newest as of
{last modification time of index} (which should probably be a part of
signed index file).

Mirror can keep database with all upgrades, but with old vulnerable
version openssl. Signed, but vulnerable.

Furthermore, I just found out this:
[root@hopper tmp]# grep ^Server /etc/pacman.d/mirrorlist
Server = http://mirror.yandex.ru/archlinux/$repo/os/$arch
[root@hopper tmp]# rm /var/lib/pacman/sync/*.db*
[root@hopper tmp]# pacman -Syu
:: Synchronizing package databases...
core 121.6 KiB 1204K/s 00:00 [####################################################] 100%
extra 1741.6 KiB 1964K/s 00:01 [####################################################] 100%
community 2.7 MiB 2.13M/s 00:01 [####################################################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (1) file-5.24-1

Total Installed Size: 3.85 MiB
Net Upgrade Size: 0.00 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [####################################################] 100%
(1/1) checking package integrity [####################################################] 100%
(1/1) loading package files [####################################################] 100%
(1/1) checking for file conflicts [####################################################] 100%
(1/1) upgrading file [####################################################] 100%
[root@hopper tmp]# pacman -Q file
file 5.24-1
# good new file
[root@hopper tmp]# vim /etc/pacman.d/mirrorlist
[root@hopper tmp]# grep ^Server /etc/pacman.d/mirrorlist
Server = file:///tmp/$repo/os/$arch
[root@hopper tmp]# pacman -Syu
:: Synchronizing package databases...
core 118.3 KiB 0.00B/s 00:00 [####################################################] 100%
extra is up to date
community is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (1) file-5.24-2

Total Installed Size: 3.85 MiB
Net Upgrade Size: 0.00 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [####################################################] 100%
(1/1) checking package integrity [####################################################] 100%
(1/1) loading package files [####################################################] 100%
(1/1) checking for file conflicts [####################################################] 100%
(1/1) downgrading file [####################################################] 100%
[root@hopper tmp]# pacman -Q file
file 5.23-2
# previous version of file
[root@hopper tmp]# gpg --verify /tmp/core/os/x86_64/file-5.24-2-x86_64.pkg.tar.xz.sig /tmp/core/os/x86_64/file-5.24-2-x86_64.pkg.tar.xz
gpg: Signature made Thu Jun 18 01:18:45 2015 UTC using RSA key ID 387A1EEE
Comment by Allan McRae (Allan) - Friday, 24 July 2015, 12:02 GMT
The above issue is now fixed in pacman. (we still should do database signing...)
Comment by Pierre Schmitz (Pierre) - Friday, 24 July 2015, 12:07 GMT
So far I haven't seen a good concept of how databases could be signed. I guess we either need some way to do remote signing or ensure that certain keys can only be used to sign databases.

Loading...