On Saturday, March 3, 2018 at 11:40:06 AM UTC-5, Alex Dubois wrote: > On Saturday, 3 March 2018 00:06:33 UTC, Marek Marczykowski-Górecki wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Dear Qubes Community, > > > > Simon Gaiser has found a bug in the signed tags verification script. It > > was possible to craft a signed tag that would pass the verification even > > though the signature did not match that tag. To exploit this issue, > > an attacker would need to perform either effective man-in-the-middle attack > > (default qubes-builder configuration use HTTPS when connecting to > > github), or a write access to one of our repositories. We don't believe > > any of those have happened, but since we consider infrastructure > > untrusted, this bug is a security issue. > > > > We advise all users/developers having local qubes-builder clone to > > either: > > 1) perform fresh qubes-builder clone, in new VM, manually verifying its > > signature - to mitigate effects of potential compromise, or > > > > 2) update qubes-builder, performing manual tag verification this one time: > > > > cd qubes-builder > > git fetch origin > > git tag -v $(git describe --exact-match origin/master) > > # double check the output of the above command, should have "Good > > # signature from ..." and *not* "WARNING: This key is not certified > > # with a trusted signature!" > > git merge --ff-only origin/master > > > > The top commit should be: 9674c1991deef45b1a1b1c71fddfab14ba50dccf > > "Fix git tag verification" > > > > - -- > > Best Regards, > > Marek Marczykowski-Górecki > > Invisible Things Lab > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > -----BEGIN PGP SIGNATURE----- > > > > iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqZ5s8ACgkQ24/THMrX > > 1yyQCAf/SjWk5/R7B4MvWLgu+bq1L6mV8RcJ4ESrVLLWcr9bbqMHVQwKsAkdXU64 > > tYyScjo0HUoxWjfolMLy5iyM5NCfOrBg8yw84Gjj4Hc4rtRcAGHrClNgt9FXMZfY > > sKnsxiKAtjrz/xF/Z2hupPtEBfyOgW19dzvsKrogtEBbvM81iGtYbgZ+t0PRw4Zh > > u00Y7MRqEPtK5D9zlpxr+jNDS7Z3WU2SKi81egMFcQs0aeO9M2CgPsbnJQKTPCLs > > aDFpj+1dd2GHnR0Vd72YML35XWZgMBlGBb0pUAcXcalt7p1aSmTKEJuslFSoFdql > > CnA6TdFGEzdAEd3CbiGvkhAr1LjFwA== > > =/dYF > > -----END PGP SIGNATURE----- > > Hi, > > I was in the process of bootstrapping qubes-builder on a windows machine > using adubois/qubes-builder-windows which was forked on github few days back. > > on launching script/get-be.ps1 (on empty disk) > the script, after importing qubes master signing key 0x36879494 > and a number of developers-keys (Marek being 42CFA724)(which had already been > imported (so message not-changed) I have the following error on qubes-builder > tag verification: > Signature made Sat Mar 3 00:03:11 2018 GMTST > using RSA key 063938BA42CFA724 > Can't check signature: public key not found > Failed to verify qubes-builder! Output: > object 9674c1991deef45b1a1b1c71fddfab14ba50dccf type commit tag mm_9674c199 > tagger Marek Marczykowski-GXXrecki <marma...@invisiblethingslab.com> > 1520035393 +0100 Tag for commit 9674c1991deef45b1a1b1c71fddfab14ba50dccf > > Hopefully I haven't made a typo... > > I am not sure what to do. > The script automatically does option1 by performing a git clone of > QubesOS/qubes-builder > > Thanks in advance for the help. > Alex
I created new vm and downloaded new qubes builder and imported all gpg sigs Ran the manual verification cmds below is output: [user@Build-Qubes qubes-builder]$ git fetch origin [user@Build-Qubes qubes-builder]$ git tag -v $(git describe --exact-match origin/master) object 9674c1991deef45b1a1b1c71fddfab14ba50dccf type commit tag mm_9674c199 tagger Marek Marczykowski-Górecki <marma...@invisiblethingslab.com> 1520035393 +0100 Tag for commit 9674c1991deef45b1a1b1c71fddfab14ba50dccf gpg: Signature made Fri 02 Mar 2018 07:03:11 PM EST using RSA key ID 42CFA724 gpg: Good signature from "Marek Marczykowski-Górecki (Qubes OS signing key) <marma...@invisiblethingslab.com>" [user@Build-Qubes qubes-builder]$ git merge --ff-only origin/master Already up-to-date. [user@Build-Qubes qubes-builder]$ ---------------------------------------- All the above looks the expected output...Good. But............... Now upon the ./setup building templates get sources update the following builder templates.... For builder-fedora: -> Updating sources for builder-fedora... │ │ --> Fetching from https://github.com/QubesOS/qubes-builder-fedora.git mast │ │ --> Verifying tags... │ │ No valid signed tag found! │ │ ---> One of invalid tag: │ │ object a9b47491455a613ae451dfc9a2be947b08e57f73 │ │ type commit │ │ tag mm_a9b47491 │ │ tagger Marek Marczykowski-Górecki <marma...@invisiblethingslab.com> 15199 │ │ │ │ Tag for commit a9b47491455a613ae451dfc9a2be947b08e57f73 │ │ Makefile:190: recipe for target 'builder-fedora.get-sources' failed And for builder-debian: -> Updating sources for builder-debian... │ --> Fetching from https://github.com/QubesOS/qubes-builder-debian.git master... --> Verifying tags... No valid signed tag found! ---> One of invalid tag: object a2ed158fd8b3c53ea608b282875f875b6329bb82 type commit tag mm_a2ed158f tagger Marek Marczykowski-Górecki <marma...@invisiblethingslab.com> 1519333268 +0100 Tag for commit a2ed158fd8b3c53ea608b282875f875b6329bb82 Makefile:190: recipe for target 'builder-debian.get-sources' failed And for builder-centos: -> Updating Sources for builder-centos.... --> Fetching from https://github.com/QubesOS/qubes-builder-centos.git mast --> Verifying tags... No valid signed tags found! One of the invalid tag: object cfc7d315cfdfe493a86f103a0825ba630339ab8f tag commmit tag mm_cfc7d315 tagger Marek Marczykowski-Gorecki <marma...@invisiblethingslab.com> 15196 Tag for commit cfc7d315cfdfe493a86f103a0825ba630339ab8f Makefile:190: recipe for target 'builder-centos.get-sources' failed -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/f9d4f5fa-4cc6-4b70-a653-8d8f9dcd9a5d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
