Your message dated Tue, 1 Jul 2008 07:17:22 +0300
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#478123: --verify option (incomplete patch, RFC)
has caused the Debian Bug report #478123,
regarding --verify option (incomplete patch, RFC)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
478123: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478123
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: dpkg
Version: 1.13.25
Severity: wishlist
Tags: patch
This is an incomplete patch for implementing a --verify option. I'd like
to receive feedback before completing it, to make sure you're comfortable
with this approach.
The problem I find is, that there's no way to actually verify signatures
with the current scheme. Given a .deb, dpkg will only verify the signature
(and fail when it is invalid) if a signature is found. So you can defeat
this security scheme by simply feeding a .deb without any signature, and
dpkg will happily process it.
My proposal is that "--verify" forces dpkg to reject the deb unless a
signature is found (and is valid).
The only complication was making this coexist with current behaviour
(checking for signature when one is found, even if it wasn't requested,
etc). I think the attached patch archieves this. Please let me know if
it looks good so I can complete it and test it properly.
Thanks
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8)
Versions of packages dpkg depends on:
ii coreutils 5.97-5.3 The GNU core utilities
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
dpkg recommends no packages.
-- no debconf information
--- ../dpkg-1.14.18.old/src/processarc.c 2008-04-09 08:35:17.000000000 +0200
+++ src/processarc.c 2008-04-27 12:38:05.000000000 +0200
@@ -136,8 +136,12 @@
}
}
+{
+ int sig_was_checked = 0, sig_is_good = 0;
+
/* Verify the package. */
if (!f_nodebsig && (stat(DEBSIGVERIFY, &stab)==0)) {
+ sig_was_checked = 1;
printf(_("Authenticating %s ...\n"), filename);
fflush(stdout);
c1 = m_fork();
@@ -148,16 +152,22 @@
int status;
waitpid(c1, &status, 0);
if (!(WIFEXITED(status) && WEXITSTATUS(status) == 0)) {
- if (! fc_badverify) {
- ohshit(_("Verification on package %s failed!"), filename);
- } else {
- fprintf(stderr, _("Verification on package %s failed,\nbut installing anyway as you request.\n"), filename);
- }
+ printf(_("failed\n"));
} else {
+ sig_is_good = 1;
printf(_("passed\n"));
}
}
}
+
+ if (! sig_is_good) {
+ if (f_verify || (sig_was_checked && ! fc_badverify)) {
+ ohshit(_("Verification on package %s failed!"), filename);
+ } else if (sig_was_checked) {
+ fprintf(stderr, _("Verification on package %s failed,\nbut installing anyway as you request.\n"), filename);
+ }
+ }
+}
if (f_noact) {
--- End Message ---
--- Begin Message ---
Hi,
On Fri, 2008-05-02 at 07:24:01 +0300, Guillem Jover wrote:
> On Sun, 2008-04-27 at 12:44:31 +0200, Robert Millan wrote:
> > Package: dpkg
> > Version: 1.13.25
> > Severity: wishlist
> > Tags: patch
> >
> > This is an incomplete patch for implementing a --verify option. I'd like
> > to receive feedback before completing it, to make sure you're comfortable
> > with this approach.
> >
> > The problem I find is, that there's no way to actually verify signatures
> > with the current scheme. Given a .deb, dpkg will only verify the signature
> > (and fail when it is invalid) if a signature is found. So you can defeat
> > this security scheme by simply feeding a .deb without any signature, and
> > dpkg will happily process it.
>
> I think you can specify a debsig-verify policy that will fail if
> there's no signature on a .deb package. And if no-debsig is not
> specified it should do what you want.
>
> > My proposal is that "--verify" forces dpkg to reject the deb unless a
> > signature is found (and is valid).
> >
> > The only complication was making this coexist with current behaviour
> > (checking for signature when one is found, even if it wasn't requested,
> > etc). I think the attached patch archieves this. Please let me know if
> > it looks good so I can complete it and test it properly.
>
> The intention I read from your patch is that you want to force the
> failure if you've specified to verify and either debsig-verify failed
> or it was not present. And not the case where there's no signature in
> the .deb package, as dpkg itself does not get that information.
As explained above, I think this is a matter of a policy from whatever
is in charge of the verification (which is not directly dpkg), and
dpkg will honour that decision. Thus closing.
regards,
guillem
--- End Message ---
