-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Qubes Community,

Simon Gaiser has found a bug in the signed tags verification script. It
was possible to craft a signed tag that would pass the verification even
though the signature did not match that tag. To exploit this issue,
an attacker would need to perform either effective man-in-the-middle attack
(default qubes-builder configuration use HTTPS when connecting to
github), or a write access to one of our repositories. We don't believe
any of those have happened, but since we consider infrastructure
untrusted, this bug is a security issue.

We advise all users/developers having local qubes-builder clone to
either:
1) perform fresh qubes-builder clone, in new VM, manually verifying its
   signature - to mitigate effects of potential compromise, or

2) update qubes-builder, performing manual tag verification this one time:

    cd qubes-builder
    git fetch origin
    git tag -v $(git describe --exact-match origin/master)
    # double check the output of the above command, should have "Good
    # signature from ..." and *not* "WARNING: This key is not certified
    # with a trusted signature!"
    git merge --ff-only origin/master

    The top commit should be: 9674c1991deef45b1a1b1c71fddfab14ba50dccf
        "Fix git tag verification"

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqZ5s8ACgkQ24/THMrX
1yyQCAf/SjWk5/R7B4MvWLgu+bq1L6mV8RcJ4ESrVLLWcr9bbqMHVQwKsAkdXU64
tYyScjo0HUoxWjfolMLy5iyM5NCfOrBg8yw84Gjj4Hc4rtRcAGHrClNgt9FXMZfY
sKnsxiKAtjrz/xF/Z2hupPtEBfyOgW19dzvsKrogtEBbvM81iGtYbgZ+t0PRw4Zh
u00Y7MRqEPtK5D9zlpxr+jNDS7Z3WU2SKi81egMFcQs0aeO9M2CgPsbnJQKTPCLs
aDFpj+1dd2GHnR0Vd72YML35XWZgMBlGBb0pUAcXcalt7p1aSmTKEJuslFSoFdql
CnA6TdFGEzdAEd3CbiGvkhAr1LjFwA==
=/dYF
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20180303000511.GD10924%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Reply via email to