On 11/08/2017 10:55 PM, Jean-Philippe Ouellet wrote:
On Wed, Nov 8, 2017 at 10:51 PM, Jean-Philippe Ouellet <j...@vt.edu> wrote:
Hello,
The way some things are distributed on kernel.org (e.g. util-linux
[1], cryptsetup [2], etc.) is such that the authors upload .tar and
.tar.sign files, and then the kernel.org infrastructure compresses
those (creating .tar.gz & .tar.xz) and signs all resulting files
(creating sha256sums.asc) using its own key. More info here [3]
Kernel.org does not make the original .tar files available, which
means there is no file available for which a signature directly from
the developers is also available. In order to check the developer's
provided signature, you must first unpack the file. I consider
unpackers to be of sufficient complexity that I would rather not run
them on arbitrary attacker-provided input.
Specifically: I would rather not run unpackers on unverified
attacker-controlled input, unsandboxed, in a trusted part of the
builder.
Normally I'm more pragmatic and just don't care. Hooray for DispVMs :)
I could of course verify the signature of the auto-generated
sha256sums.asc file which covers all the files (including compressed
ones), but that means trusting kernel.org infrastructure - which was
compromised in 2011 and may well be compromised again in the future...
If I want to follow qubes packaging best practices [4] and ensure that
no untrusted code gets processed (including unpacked) by the builder,
it seems my best option is to manually download the .tar.gz, verify
the kernel.org sig, unpack it (possibly in a DispVM), verify the
developer's sig, and then pin the sha512 of the original file for
qubes-builder's verify-sources.
...manually download the .tar.gz, verify kernel.org sig, send to dispVM
for unpacking, qvm-copy unpacked files to parent VM, verify developer's
sig...
To be extra sure I can also re-compress and reproduce (almost) the
original .tar.gz file from the verified .tar file with `gzip --no-name
--best`, and then verify that only the 4 bytes for the timestamp [5]
are different.
This part sounds unreliable.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/87676be1-1f9c-ff08-1e61-7850d148976a%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
