Re: Is packages build without verifying the source package signatures?
On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote: > If I don't mistake the automatic package build system don't require that the > source signature is verified correctly. To clarify what Adam said; there are two times where source package verification can happen during builds. The first is during "Download source files with APT", which verifies hashes of the source files against the hashes known for those files by apt, the keys for this stage are the archive keys. The second is during "Unpack source", which runs dpkg-source to extract the source package and (if all Debian package uploader keys are installed) verifies the signature of the source package matches a known developer key. The Debian buildds only do the first verification (due to all Debian package uploader keys not being installed) but the Debian archive verifies that all uploads match a known developer key before passing packages to the buildds. So in practice, both verifications are happening, but not in the same place. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Is packages build without verifying the source package signatures?
On Sat, 2017-12-02 at 12:15 +0100, Davide Prina wrote: > If I don't mistake the automatic package build system don't require > that the source signature is verified correctly. [...] > So it don't have the public key (?) and so it don't check the > package signature. But the package is build successfully... and > signed. > > If an attacker change the source and package it with a wrong private > key, it can have his "patch" applied to the signed binary packages? The packages that the buildds are building come from the Debian archives, where the software that accepts uploads verifies the signatures on the uploads. The metadata for the upload queues is also GPG-signed by the archive software. So, no, in practice it's not feasible for the attacker to inject packages outside of the trust structure without already having compromised some other part of the infrastructure. Regards, Adam
Is packages build without verifying the source package signatures?
If I don't mistake the automatic package build system don't require that the source signature is verified correctly. In here: https://buildd.debian.org/status/fetch.php?pkg=gnome-shell=amd64=3.26.2-1=1509919343=0 I have found this: Unpack source - gpgv: unknown type of key resource 'trustedkeys.kbx' gpgv: keyblock resource '/sbuild-nonexistent/.gnupg/trustedkeys.kbx': General error gpgv: Signature made Sun Nov 5 19:11:53 2017 UTC gpgv:using RSA key 09B3AC2ECB169C904345CC546AE1DF0D608F22DC gpgv:issuer "bi...@debian.org" gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./gnome-shell_3.26.2-1.dsc dpkg-source: info: extracting gnome-shell in /<> dpkg-source: info: unpacking gnome-shell_3.26.2.orig.tar.xz dpkg-source: info: unpacking gnome-shell_3.26.2-1.debian.tar.xz dpkg-source: info: applying 27-nm-libexec-path.patch dpkg-source: info: applying workaround_crasher_fractional_scaling.patch So it don't have the public key (?) and so it don't check the package signature. But the package is build successfully... and signed. If an attacker change the source and package it with a wrong private key, it can have his "patch" applied to the signed binary packages? Ciao Davide
