On 11/3/21 14:33, Panu Matilainen wrote:
On 11/3/21 14:26, Panu Matilainen wrote:
On 11/1/21 17:37, Justus Winter wrote:
[...]
But, not every individual program decides to incorporate an OpenPGP
implementation. Most defer this kind of policy to some library that
takes care of sunsetting insecure algorithms.
Pointing to openssl or gcrypt doesn't really fly. gcrypt and openssl
(at least the interface that RPM uses) are providing mechanisms without
policy. You cannot simply drop SHA1, because unfortunately many things
(like e.g. v4 OpenPGP Fingerprint computation, content addressable
storage like git) depend on that. That doesn't mean that it is safe to
use SHA1 to verify binary OpenPGP signatures. But, neither gcrypt nor
openssl is in a position to make that distinction, because they are so
low-level that they lack context. That context is the OpenPGP
implementation.
And just like openssl and gcrypt are just generic mechanisms without
policy, so is an OpenPGP parser. Denying some technically legitimate
content is a policy decision that belongs someplace else.
Using SHA1 to verify binary OpenPGP signatures is not inherently
dangerous in itself. It's a question of how much you're willing to
trust such a signature.
Remember we're talking about a piece of software that will merrily
install unsigned packages by default in this day and age. That alone
tends to render most security questions moot from the go. For example
forcing users to use --nosignature to bypass all checking to access
(eg just to query) older content with often a valid signature doesn't
improve security by any measurable amount in my view.
So actually in rpm, the place for such a policy is in the other policy
mechanism of enforcing signatures, introduced in 4.14. With that on,
unsigned packages are not permitted and *there* it would make sense to
have a configurable which sets the acceptable algorithms for both
"plain" hashes and other contexts. It'd actually make a whole lot of
sense to have such a mechanism in there. The defaults could be maybe
fished out of a system policy, but I dunno about those.
Oops, hit send too soon. I intended to elaborate on this other policy
thing:
With the enforcing mode on, you can still read and query packages with
no signature just fine, the enforcing happens on signature check and
install time. And that's where you want those md5 and sha1 signatures
(and whatever the heck user wants) denied, if the policy is set thus. To
be clear, no algorithm policy exists in there as of now, but that's
where such a thing would belong.
FWIW, filed this as an RFE now so it wont get lost:
https://github.com/rpm-software-management/rpm/issues/1816
- Panu -
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
