Hello, The way some things are distributed on kernel.org (e.g. util-linux [1], cryptsetup [2], etc.) is such that the authors upload .tar and .tar.sign files, and then the kernel.org infrastructure compresses those (creating .tar.gz & .tar.xz) and signs all resulting files (creating sha256sums.asc) using its own key. More info here [3]
Kernel.org does not make the original .tar files available, which means there is no file available for which a signature directly from the developers is also available. In order to check the developer's provided signature, you must first unpack the file. I consider unpackers to be of sufficient complexity that I would rather not run them on arbitrary attacker-provided input. I could of course verify the signature of the auto-generated sha256sums.asc file which covers all the files (including compressed ones), but that means trusting kernel.org infrastructure - which was compromised in 2011 and may well be compromised again in the future... If I want to follow qubes packaging best practices [4] and ensure that no untrusted code gets processed (including unpacked) by the builder, it seems my best option is to manually download the .tar.gz, verify the kernel.org sig, unpack it (possibly in a DispVM), verify the developer's sig, and then pin the sha512 of the original file for qubes-builder's verify-sources. To be extra sure I can also re-compress and reproduce (almost) the original .tar.gz file from the verified .tar file with `gzip --no-name --best`, and then verify that only the 4 bytes for the timestamp [5] are different. Thoughts? Regards, Jean-Philippe [1]: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/ [2]: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/ [3]: https://www.kernel.org/signature.html#kernel-org-checksum-autosigner-and-sha256sums-asc [4]: https://www.qubes-os.org/news/2016/05/30/build-security/ [5]: http://www.gzip.org/zlib/rfc-gzip.html#file-format -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CABQWM_APQC4WqpSSKk1OE0mc24qeRUJ76yZvnbjROod7qxORPQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
