-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear Qubes Community,
Simon Gaiser has found a bug in the signed tags verification script. It was possible to craft a signed tag that would pass the verification even though the signature did not match that tag. To exploit this issue, an attacker would need to perform either effective man-in-the-middle attack (default qubes-builder configuration use HTTPS when connecting to github), or a write access to one of our repositories. We don't believe any of those have happened, but since we consider infrastructure untrusted, this bug is a security issue. We advise all users/developers having local qubes-builder clone to either: 1) perform fresh qubes-builder clone, in new VM, manually verifying its signature - to mitigate effects of potential compromise, or 2) update qubes-builder, performing manual tag verification this one time: cd qubes-builder git fetch origin git tag -v $(git describe --exact-match origin/master) # double check the output of the above command, should have "Good # signature from ..." and *not* "WARNING: This key is not certified # with a trusted signature!" git merge --ff-only origin/master The top commit should be: 9674c1991deef45b1a1b1c71fddfab14ba50dccf "Fix git tag verification" - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqZ5s8ACgkQ24/THMrX 1yyQCAf/SjWk5/R7B4MvWLgu+bq1L6mV8RcJ4ESrVLLWcr9bbqMHVQwKsAkdXU64 tYyScjo0HUoxWjfolMLy5iyM5NCfOrBg8yw84Gjj4Hc4rtRcAGHrClNgt9FXMZfY sKnsxiKAtjrz/xF/Z2hupPtEBfyOgW19dzvsKrogtEBbvM81iGtYbgZ+t0PRw4Zh u00Y7MRqEPtK5D9zlpxr+jNDS7Z3WU2SKi81egMFcQs0aeO9M2CgPsbnJQKTPCLs aDFpj+1dd2GHnR0Vd72YML35XWZgMBlGBb0pUAcXcalt7p1aSmTKEJuslFSoFdql CnA6TdFGEzdAEd3CbiGvkhAr1LjFwA== =/dYF -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180303000511.GD10924%40mail-itl. For more options, visit https://groups.google.com/d/optout.