FS#67232 - verify package checksum integrity with signatures downloaded remotely
Attached to Project:
Pacman
Opened by Eli Schwartz (eschwartz) - Thursday, 09 July 2020, 03:50 GMT
Last edited by Eli Schwartz (eschwartz) - Monday, 10 August 2020, 17:20 GMT
Opened by Eli Schwartz (eschwartz) - Thursday, 09 July 2020, 03:50 GMT
Last edited by Eli Schwartz (eschwartz) - Monday, 10 August 2020, 17:20 GMT
|
Details
In
https://git.archlinux.org/pacman.git/commit/?id=f3dfba73d22b7eca3810a8114f2aab63da488b4c
we fixed
This means if a database doesn't have embedded signatures, but our siglevel wants the package to be signed, we can still validate that signature. However, this breaks our previous checksumming logic, i.e. we don't checksum files if we're checking their PGP signature, because the checksum and the PGP signature both come from the database and either one will only match a byte-identical file. Now that signatures don't necessarily come from the database, we cannot guarantee that anymore -- the package file could be lots of different things, as long as it's signed by *a* valid key, somehow. The fix is to check if we're using an embedded or detached signature, and in the latter case, also check the package checksums. |
This task depends upon
Closed by Eli Schwartz (eschwartz)
Monday, 10 August 2020, 17:20 GMT
Reason for closing: Implemented
Additional comments about closing: in git commit f53ac85ff6cd2f74f8157f23a5e21650cd17f372
Monday, 10 August 2020, 17:20 GMT
Reason for closing: Implemented
Additional comments about closing: in git commit f53ac85ff6cd2f74f8157f23a5e21650cd17f372
- Evil maid attacks might temporarily get access to a trusted PGP key, but not access to the upload server. Bulk-sign bad packages, then attack user mirrors. Optionally, bulk-sign packages matching predicted future package versions to continue attacking after rebuilds/updates
- A trusted mirror might provide only databases but not packages with pacman doing failover to the second mirror, or a distribution might directly serve databases but load balance packages across a mirror network. Rogue packagers in control of a mirror can perform targeted attacks against specific users without leaving audit traces on the master repository server.
- Packages built and signed by third parties added to pacman.conf but ranked below distro repos can arbitrarily sign and replace core packages, while the user expected they only need to vet and possibly sandbox packages being installed from [otherrepo] (e.g. eyeballing the output of VerbosePkgLists, installing with pacman --noscriptlet, pacinstall --no-hooks --no-scriptlet). They can also perform targeted attacks in the load-balanced case. (This can be solved by per-repo pinning of valid key fingerprints.)
- Packagers might upload testing packages and ask users to install them with pacman -U, then after it turns out to be broken, rebuild without bumping pkgrel and ask users to install once again with pacman -U, then directly move the second attempt to the official repos. Attackers can now feed people broken packages that crash the system.
But that wouldn't help, if an attacker with access to a package-signing key could replace packages (permitted by the proposed key policy) and doesn't *need* to rebuild the database and re-sign it (not permitted by the proposed key policy without a db-signing key).
pacman database already contains SHA256 for packages. We just need to enable it for detached signatures use-case.