I think we should be in the position to be able to verify the origin of any
software we provide to users.
While we have cryptographic verification of the RPMS (both 'binary' and src),
and we store the hashes of the sources, AFAIK we do very limited verification
of any signatures provided by upstream.
Now, unfortunately, not all upstreams provide useful signatures:
1)Not all upstreams provide signatures (some even say that there is no point,
as no-one verifies them)
2)Some upstreams (such as kernel) use automated mechanisms to generate
signatures (and in the case of kernl explicitly state that they are only
useful for verifying that they match what is on kernel.org, not necessarily
that they match what linus generated)
3)Some upstreams do provide signatures, but sometimes the signing identity
changes, or the mechanism (sign gzipped tarball once, unzipped tarball next
time)
It seems difficult to argue for upstreams to provide good signatures if no-one
is verifying them
So, I have started adding signature verification to my packages where upstream
provides signatures:
-tevent
-tdb
-ldb
-samba
In the past few weeks, I have been moving to defining and using a 'check_sig'
macro, and I wonder if it would be useful to move it to spec-helper, and start
using it wherever possible.
This is the version in the ldb spec:
%define check_sig() export GNUPGHOME=%{_tmppath}/rpm-gpghome \
if [ -d "$GNUPGHOME" ] \
then echo "Error, GNUPGHOME $GNUPGHOME exists, remove it and try again"; exit
1 \
fi \
install -d -m700 $GNUPGHOME \
gpg --import %{1} \
gpg --trust-model always --verify %{2} %{?3} \
rm -Rf $GNUPGHOME \
Used as follows:
Source: http://samba.org/ftp/ldb/ldb-%{ldbver}.tar.gz
Source1: http://samba.org/ftp/ldb/ldb-%{ldbver}.tar.gz.asc
Source2: jelmer.asc
[...]
%prep
%check_sig %{SOURCE2} %{SOURCE1} %{SOURCE0}
Producing:
+ export GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
+ GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
+ '[' -d /home/bgmilne/tmp/rpm-gpghome ']'
+ install -d -m700 /home/bgmilne/tmp/rpm-gpghome
+ gpg --import /home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/jelmer.asc
gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/secring.gpg' created
gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/pubring.gpg' created
gpg: /home/bgmilne/tmp/rpm-gpghome/trustdb.gpg: trustdb created
gpg: key 1EEF5276: public key "Jelmer Vernooij <[email protected]>" imported
gpg: key D729A457: public key "Jelmer Vernooij <[email protected]>" imported
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 1)
gpg: no ultimately trusted keys found
+ gpg --trust-model always --verify
/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz.asc
/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz
gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using RSA key ID D729A457
gpg: Good signature from "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: WARNING: Using untrusted key!
gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using DSA key ID 1EEF5276
gpg: Good signature from "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: aka "Jelmer Vernooij <[email protected]>"
gpg: WARNING: Using untrusted key!
+ rm -Rf /home/bgmilne/tmp/rpm-gpghome
Tampering with the source results in:
+ export GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
+ GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
+ '[' -d /home/bgmilne/tmp/rpm-gpghome ']'
+ install -d -m700 /home/bgmilne/tmp/rpm-gpghome
+ gpg --import /home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/jelmer.asc
gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/secring.gpg' created
gpg: keyring `/home/bgmilne/tmp/rpm-gpghome/pubring.gpg' created
gpg: /home/bgmilne/tmp/rpm-gpghome/trustdb.gpg: trustdb created
gpg: key 1EEF5276: public key "Jelmer Vernooij <[email protected]>" imported
gpg: key D729A457: public key "Jelmer Vernooij <[email protected]>" imported
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 1)
gpg: no ultimately trusted keys found
+ gpg --trust-model always --verify
/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz.asc
/home/bgmilne/Download/source/svn/mageia/ldb/SOURCES/ldb-1.1.4.tar.gz
gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using RSA key ID D729A457
gpg: BAD signature from "Jelmer Vernooij <[email protected]>"
gpg: Signature made Sat 03 Dec 2011 01:14:25 SAST using DSA key ID 1EEF5276
gpg: BAD signature from "Jelmer Vernooij <[email protected]>"
error: Bad exit status from /home/bgmilne/tmp/rpm-tmp.YqBT4j (%prep)
Or, if %{_tmppath}/rpm-gpghome exists (important to check for, since we are
using --trust-model always):
Executing(%prep): /bin/sh -e /home/bgmilne/tmp/rpm-tmp.OEoIHT
+ umask 022
+ cd /home/bgmilne/rpm/BUILD
+ '[' 1 -eq 1 ']'
+ '[' 1 -eq 1 ']'
+ '[' 1 -eq 1 ']'
+ export GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
+ GNUPGHOME=/home/bgmilne/tmp/rpm-gpghome
+ '[' -d /home/bgmilne/tmp/rpm-gpghome ']'
+ echo 'Error, GNUPGHOME /home/bgmilne/tmp/rpm-gpghome exists, remove it and
try again'
Error, GNUPGHOME /home/bgmilne/tmp/rpm-gpghome exists, remove it and try again
+ exit 1
error: Bad exit status from /home/bgmilne/tmp/rpm-tmp.OEoIHT (%prep)
Comments?
Regards,
Buchan
