On 11/11/2017 06:11 PM, Jean-Philippe Ouellet wrote:
On Sat, Nov 11, 2017 at 5:54 PM, Chris Laprise <tas...@posteo.net> wrote:
On 11/08/2017 10:55 PM, Jean-Philippe Ouellet wrote:
On Wed, Nov 8, 2017 at 10:51 PM, Jean-Philippe Ouellet <j...@vt.edu> wrote:

The way some things are distributed on kernel.org (e.g. util-linux
[1], cryptsetup [2], etc.) is such that the authors upload .tar and
.tar.sign files, and then the kernel.org infrastructure compresses
those (creating .tar.gz & .tar.xz) and signs all resulting files
(creating sha256sums.asc) using its own key. More info here [3]

Kernel.org does not make the original .tar files available, which
means there is no file available for which a signature directly from
the developers is also available. In order to check the developer's
provided signature, you must first unpack the file. I consider
unpackers to be of sufficient complexity that I would rather not run
them on arbitrary attacker-provided input.
Specifically: I would rather not run unpackers on unverified
attacker-controlled input, unsandboxed, in a trusted part of the

Normally I'm more pragmatic and just don't care. Hooray for DispVMs :)

I could of course verify the signature of the auto-generated
sha256sums.asc file which covers all the files (including compressed
ones), but that means trusting kernel.org infrastructure - which was
compromised in 2011 and may well be compromised again in the future...

If I want to follow qubes packaging best practices [4] and ensure that
no untrusted code gets processed (including unpacked) by the builder,
it seems my best option is to manually download the .tar.gz, verify
the kernel.org sig, unpack it (possibly in a DispVM), verify the
developer's sig, and then pin the sha512 of the original file for
qubes-builder's verify-sources.

...manually download the .tar.gz, verify kernel.org sig, send to dispVM for
unpacking, qvm-copy unpacked files to parent VM, verify developer's sig...
Normally I'd agree, however I am not aware of anything else in the
builder (besides the top-level "build full template in DispVM")
depending on the ability to start DispVMs. I suspect this was an
intentional choice to allow building of Qubes packages on non-Qubes
machines (e.g. qubes-builder docs say: "In order to use it one should
use an rpm-based distro, like Fedora :) and should ensure the
following packages are installed:" [1]).

The ability to do so becomes somewhat more relevant in the context of
aiming for deterministic builds in the long run: it may be quite
desirable to build qubes things on non-qubes machines and ensure the
same binaries are produced.

It sounds like an easy diversion to make: Test for Qubes and use dispvm for unpacking in that case. Builds can still be done on different distros, although with a higher assurance of integrity if done on Qubes.


[1]: https://www.qubes-os.org/doc/qubes-builder/

To be extra sure I can also re-compress and reproduce (almost) the
original .tar.gz file from the verified .tar file with `gzip --no-name
--best`, and then verify that only the 4 bytes for the timestamp [5]
are different.

This part sounds unreliable.
Perhaps. The idea is I would do that manually once and then pin the
hash of the .tar.gz for the verify-sources target. This would only
need to happen once per version bump.


Chris Laprise, tas...@posteo.net
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to