-----BEGIN PGP SIGNED MESSAGE-----
Dear Qubes Community,
Simon Gaiser has found a bug in the signed tags verification script. It
was possible to craft a signed tag that would pass the verification even
though the signature did not match that tag. To exploit this issue,
an attacker would need to perform either effective man-in-the-middle attack
(default qubes-builder configuration use HTTPS when connecting to
github), or a write access to one of our repositories. We don't believe
any of those have happened, but since we consider infrastructure
untrusted, this bug is a security issue.
We advise all users/developers having local qubes-builder clone to
1) perform fresh qubes-builder clone, in new VM, manually verifying its
signature - to mitigate effects of potential compromise, or
2) update qubes-builder, performing manual tag verification this one time:
git fetch origin
git tag -v $(git describe --exact-match origin/master)
# double check the output of the above command, should have "Good
# signature from ..." and *not* "WARNING: This key is not certified
# with a trusted signature!"
git merge --ff-only origin/master
The top commit should be: 9674c1991deef45b1a1b1c71fddfab14ba50dccf
"Fix git tag verification"
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.