On 03/08/18 05:15, Uwe Kleine-König wrote:
> Hello,
> I hope to have selected the right contact address for this mail, if not,
> please tell me or forward accordingly.
> The kernel.org archive provides signatures for the software available
> (which is great!). The method to verify these according to
> https://www.kernel.org/category/signatures.html#using-gnupg-to-verify-kernel-signatures
> is to download the .tar.xz and the .tar.sign file, unxz the archive and
> check the signature against the .tar file.
> For one this is inconvenient because most tools don't know
> this scheme. In my case this is tooling from Debian to work with
> upstream archives[1].

I know it's a problem for Debian, but changing this scheme for us would
require significant retooling just as it would for Debian infra. The
major upside of the current approach is that we are free to add new
compressors, recompress existing archives with higher compression
ratios, etc, without needing to re-sign all files.

> But it also has an impact on security: As long as the signature isn't
> verified I have to consider the .tar.xz "untrusted" and the less tools I
> have to make operate on it the better.  This scheme allows an attacker
> that has control over a mirror to provide a .tar.xz that makes unxz do
> undesirable things, see https://en.wikipedia.org/wiki/Zip_bomb for an
> attack idea.

Which is why we provide sha256sums.asc in each directory.

Konstantin Ryabitsev
Director, IT Infrastructure Security
The Linux Foundation

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to