-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Jean-Philippe Ouellet: > On Wed, Nov 8, 2017 at 10:51 PM, Jean-Philippe Ouellet <j...@vt.edu> wrote: >> Hello, >> >> The way some things are distributed on kernel.org (e.g. util-linux >> [1], cryptsetup [2], etc.) is such that the authors upload .tar and >> .tar.sign files, and then the kernel.org infrastructure compresses >> those (creating .tar.gz & .tar.xz) and signs all resulting files >> (creating sha256sums.asc) using its own key. More info here [3] >> >> Kernel.org does not make the original .tar files available, which >> means there is no file available for which a signature directly from >> the developers is also available. In order to check the developer's >> provided signature, you must first unpack the file. I consider >> unpackers to be of sufficient complexity that I would rather not run >> them on arbitrary attacker-provided input. > > Specifically: I would rather not run unpackers on unverified > attacker-controlled input, unsandboxed, in a trusted part of the > builder.
I think it's good to improve the situation here. But keep in mind that the IMO bigger problem is git. I.e. we already do a lot more processing of unverified input. But I don't see a solution for this one currently. (And of course ideally we would use a simpler signature verification tool than GnuPG) > Normally I'm more pragmatic and just don't care. Hooray for DispVMs :) > >> I could of course verify the signature of the auto-generated >> sha256sums.asc file which covers all the files (including compressed >> ones), but that means trusting kernel.org infrastructure - which was >> compromised in 2011 and may well be compromised again in the future... >> >> If I want to follow qubes packaging best practices [4] and ensure that >> no untrusted code gets processed (including unpacked) by the builder, >> it seems my best option is to manually download the .tar.gz, verify >> the kernel.org sig, unpack it (possibly in a DispVM), verify the >> developer's sig, and then pin the sha512 of the original file for >> qubes-builder's verify-sources. Pinning the hash is probably the less intrusive way. Another option would be to use a shallow git-clone. I think it's important to keep qubes-builder working on a non-Qubes system. But with a fallback the DispVM solution would also be an option. I personally would prefer pinning the hash. >> To be extra sure I can also re-compress and reproduce (almost) the >> original .tar.gz file from the verified .tar file with `gzip --no-name >> --best`, and then verify that only the 4 bytes for the timestamp [5] >> are different. The .xz is reproducible, see the other mail. >> [1]: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/ >> [2]: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/ >> [3]: >> https://www.kernel.org/signature.html#kernel-org-checksum-autosigner-and-sha256sums-asc >> [4]: https://www.qubes-os.org/news/2016/05/30/build-security/ >> [5]: http://www.gzip.org/zlib/rfc-gzip.html#file-format -----BEGIN PGP SIGNATURE----- iQJDBAEBCgAtFiEEqieyzvOmi9FGaQcT5KzJJ4pkaBYFAloKRFsPHGh3NDJAaXBz dW1qLmRlAAoJEOSsySeKZGgWsMUP/1tsiUzzE7L4RPqsJ0c5KMKJ3nyI5O11ifor am+7DMAm8Effl5LbvISalrxcDltGJjYmvzx/a5zPegTr1Jrt5s7WVAjHPHuJwhSQ 8M8sqfqJ1fYJ1jyc0VH1fSraVlLGqVMypzEMboOfJO6nuaKVV6F1kzlg56pNAglk YnxAyoXSnp++SoHLjhmp+GivDTZFj0a+3epAX5HemdJpTyLZkgMAEg8IvFGS4ln6 gdEoqXT6rEaN6qvG0XHZbHb6GZ8gAI+hZboqycN/puWxUXvK5u8KojEclrH3x5Qf lY+XBzPkho7wqRdF9iJgbn5+TZXYSjFVBLFHUMvIxYlycrYBaCZuv7XWzA70BwoX lb5JwwehVy/sLSmA20IduTl+mtoksaBm9/YVN7SOIFGg7zetPCz/+g4FGQVrFqBR +ZD7DVpd2PLF+Bc8R1xHjQyuJZQz/mcDz/oRWW72M2xIJCG+0+ht8nqZDwMFolRi JL0jOTJ2uaxSxNCdsYtuE4agi1swN5iKLsR5xsLcABQag4ByHmbnf9+uWgwW2v+N YAoBq18ermEqcixfn9f0t2RdE3qngXFj1Bk07xmmI6RiGIG8RJvPgS5OmjRB5chS k5FjNQSGk0yqXrPdH3bUf+TTENdpzht6RtKgtGtHvgIyM3ZwjkxenTbQl+trQ9zb z8fiDcAm =1VTB -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/bcde686f-d239-51b5-b380-6b2ac9d22c15%40ipsumj.de. For more options, visit https://groups.google.com/d/optout.
