FS#45657 - [security] Official repositories should be signed.
Attached to Project:
Arch Linux
Opened by Gleb Fotengauer-Malinovskiy (glebfm) - Wednesday, 15 July 2015, 19:00 GMT
Last edited by Christian Heusel (gromit) - Monday, 28 August 2023, 08:37 GMT
Opened by Gleb Fotengauer-Malinovskiy (glebfm) - Wednesday, 15 July 2015, 19:00 GMT
Last edited by Christian Heusel (gromit) - Monday, 28 August 2023, 08:37 GMT
|
Details
Description:
Package databases of official repositories should be signed. It's certainly a security issue, since mirror owner can hold any package or force user to install any old package or remove anything. Also, there is no point to check every package's signature if we can trust both package database and hash-sum. |
This task depends upon
Closed by Christian Heusel (gromit)
Monday, 28 August 2023, 08:37 GMT
Reason for closing: Deferred
Additional comments about closing: There is upcoming work planned for database signing after the bugtracker migration.
Monday, 28 August 2023, 08:37 GMT
Reason for closing: Deferred
Additional comments about closing: There is upcoming work planned for database signing after the bugtracker migration.
With signed index, you can be sure all packages are newest as of
{last modification time of index} (which should probably be a part of
signed index file).
Mirror can keep database with all upgrades, but with old vulnerable
version openssl. Signed, but vulnerable.
Furthermore, I just found out this:
[root@hopper tmp]# grep ^Server /etc/pacman.d/mirrorlist
Server = http://mirror.yandex.ru/archlinux/$repo/os/$arch
[root@hopper tmp]# rm /var/lib/pacman/sync/*.db*
[root@hopper tmp]# pacman -Syu
:: Synchronizing package databases...
core 121.6 KiB 1204K/s 00:00 [####################################################] 100%
extra 1741.6 KiB 1964K/s 00:01 [####################################################] 100%
community 2.7 MiB 2.13M/s 00:01 [####################################################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
Packages (1) file-5.24-1
Total Installed Size: 3.85 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [####################################################] 100%
(1/1) checking package integrity [####################################################] 100%
(1/1) loading package files [####################################################] 100%
(1/1) checking for file conflicts [####################################################] 100%
(1/1) upgrading file [####################################################] 100%
[root@hopper tmp]# pacman -Q file
file 5.24-1
# good new file
[root@hopper tmp]# vim /etc/pacman.d/mirrorlist
[root@hopper tmp]# grep ^Server /etc/pacman.d/mirrorlist
Server = file:///tmp/$repo/os/$arch
[root@hopper tmp]# pacman -Syu
:: Synchronizing package databases...
core 118.3 KiB 0.00B/s 00:00 [####################################################] 100%
extra is up to date
community is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
Packages (1) file-5.24-2
Total Installed Size: 3.85 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [####################################################] 100%
(1/1) checking package integrity [####################################################] 100%
(1/1) loading package files [####################################################] 100%
(1/1) checking for file conflicts [####################################################] 100%
(1/1) downgrading file [####################################################] 100%
[root@hopper tmp]# pacman -Q file
file 5.23-2
# previous version of file
[root@hopper tmp]# gpg --verify /tmp/core/os/x86_64/file-5.24-2-x86_64.pkg.tar.xz.sig /tmp/core/os/x86_64/file-5.24-2-x86_64.pkg.tar.xz
gpg: Signature made Thu Jun 18 01:18:45 2015 UTC using RSA key ID 387A1EEE