Re: Is packages build without verifying the source package signatures?
On 03/12/2017 12:40, Holger Levsen wrote: > On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote: >>> in practice, this also has obvious flaws. >> Please elaborate. > > for a start: one only needs to compromise one machine instead of many... > >>> what's the technical reason >>> the buildds are not checking the signatures? >> Unavailability of the keys. Key may have been expired between upload >> and build attempt. > > I'm not sure this is an advantage then... or rather: I'd rather see a > requirement that keys used for signing are valid for at least another > year after the upload. > While I understand your reasoning, and I agree more checks are better, I think keeping expired keys around is a bad idea. What if those keys are compromised ? What about revocation ? Cheers, -- nodens
Re: Is packages build without verifying the source package signatures?
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote: > On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote: > > > If I don't mistake the automatic package build system don't require that the > > source signature is verified correctly. > > To clarify what Adam said; there are two times where source package > verification can happen during builds. The first is during "Download > source files with APT", which verifies hashes of the source files > against the hashes known for those files by apt, the keys for this > stage are the archive keys. The second is during "Unpack source", > which runs dpkg-source to extract the source package and (if all > Debian package uploader keys are installed) verifies the signature of > the source package matches a known developer key. There might even be a 3rd signature, the upstream signature, but it doesn't cover the whole source. We probably don't have tools to make it easy to check, but the files needed to do it can be in the archive. So the 3 signatures are, in order they are created: - The upstream developer - The Debian developer or maintainer - The Debian archive key When downloading the source package you start with the 3rd signature, for which the keys are the debian-archive-keyring, which should be installed, apt uses those keys, and so it should check that signature by default. For the 2nd signature, the keys are in the debian-keyring package. dpkg-source will use those keys when that package is installed. For the 1st signaure, if upstream provides them and the maintainer adds them, the keys are in the source package itself. We only seem to have 454 source package doing this currently, which is at least a big improvement over last year. Kurt
Re: Is packages build without verifying the source package signatures?
On Sun, Dec 03, 2017 at 01:11:50PM +0100, Bastian Blank wrote: > It would still only need to compromise one machine: The one from where > the keys are handled and distributed. I rest my case. I'd secure the front door even if the side door (atm still) can be compromised easy. -- cheers, Holger signature.asc Description: PGP signature
Re: Is packages build without verifying the source package signatures?
On Sun, Dec 03, 2017 at 11:40:31AM +, Holger Levsen wrote: > On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote: > > > in practice, this also has obvious flaws. > > Please elaborate. > for a start: one only needs to compromise one machine instead of many... It would still only need to compromise one machine: The one from where the keys are handled and distributed. > > > what's the technical reason > > > the buildds are not checking the signatures? > > Unavailability of the keys. Key may have been expired between upload > > and build attempt. > I'm not sure this is an advantage then... or rather: I'd rather see a > requirement that keys used for signing are valid for at least another > year after the upload. Does not help. Also people prefer not to have keys lying around that are valid for this much time. Bastian -- Love sometimes expresses itself in sacrifice. -- Kirk, "Metamorphosis", stardate 3220.3
Re: Is packages build without verifying the source package signatures?
On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote: > > in practice, this also has obvious flaws. > Please elaborate. for a start: one only needs to compromise one machine instead of many... > > what's the technical reason > > the buildds are not checking the signatures? > Unavailability of the keys. Key may have been expired between upload > and build attempt. I'm not sure this is an advantage then... or rather: I'd rather see a requirement that keys used for signing are valid for at least another year after the upload. -- cheers, Holger signature.asc Description: PGP signature
Re: Is packages build without verifying the source package signatures?
On Sun, Dec 03, 2017 at 10:41:17AM +, Holger Levsen wrote: > On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote: > > The Debian buildds only do the first verification (due to all Debian > > package uploader keys not being installed) but the Debian archive > > verifies that all uploads match a known developer key before passing > > packages to the buildds. So in practice, both verifications are > > happening, but not in the same place. > in practice, this also has obvious flaws. Please elaborate. > what's the technical reason > the buildds are not checking the signatures? Unavailability of the keys. Key may have been expired between upload and build attempt. Bastian -- Leave bigotry in your quarters; there's no room for it on the bridge. -- Kirk, "Balance of Terror", stardate 1709.2
Re: Is packages build without verifying the source package signatures?
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote: > The Debian buildds only do the first verification (due to all Debian > package uploader keys not being installed) but the Debian archive > verifies that all uploads match a known developer key before passing > packages to the buildds. So in practice, both verifications are > happening, but not in the same place. in practice, this also has obvious flaws. what's the technical reason the buildds are not checking the signatures? -- cheers, Holger signature.asc Description: PGP signature
Re: Is packages build without verifying the source package signatures?
On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote: > If I don't mistake the automatic package build system don't require that the > source signature is verified correctly. To clarify what Adam said; there are two times where source package verification can happen during builds. The first is during "Download source files with APT", which verifies hashes of the source files against the hashes known for those files by apt, the keys for this stage are the archive keys. The second is during "Unpack source", which runs dpkg-source to extract the source package and (if all Debian package uploader keys are installed) verifies the signature of the source package matches a known developer key. The Debian buildds only do the first verification (due to all Debian package uploader keys not being installed) but the Debian archive verifies that all uploads match a known developer key before passing packages to the buildds. So in practice, both verifications are happening, but not in the same place. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Is packages build without verifying the source package signatures?
On Sat, 2017-12-02 at 12:15 +0100, Davide Prina wrote: > If I don't mistake the automatic package build system don't require > that the source signature is verified correctly. [...] > So it don't have the public key (?) and so it don't check the > package signature. But the package is build successfully... and > signed. > > If an attacker change the source and package it with a wrong private > key, it can have his "patch" applied to the signed binary packages? The packages that the buildds are building come from the Debian archives, where the software that accepts uploads verifies the signatures on the uploads. The metadata for the upload queues is also GPG-signed by the archive software. So, no, in practice it's not feasible for the attacker to inject packages outside of the trust structure without already having compromised some other part of the infrastructure. Regards, Adam
Is packages build without verifying the source package signatures?
If I don't mistake the automatic package build system don't require that the source signature is verified correctly. In here: https://buildd.debian.org/status/fetch.php?pkg=gnome-shell=amd64=3.26.2-1=1509919343=0 I have found this: Unpack source - gpgv: unknown type of key resource 'trustedkeys.kbx' gpgv: keyblock resource '/sbuild-nonexistent/.gnupg/trustedkeys.kbx': General error gpgv: Signature made Sun Nov 5 19:11:53 2017 UTC gpgv:using RSA key 09B3AC2ECB169C904345CC546AE1DF0D608F22DC gpgv:issuer "bi...@debian.org" gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./gnome-shell_3.26.2-1.dsc dpkg-source: info: extracting gnome-shell in /<> dpkg-source: info: unpacking gnome-shell_3.26.2.orig.tar.xz dpkg-source: info: unpacking gnome-shell_3.26.2-1.debian.tar.xz dpkg-source: info: applying 27-nm-libexec-path.patch dpkg-source: info: applying workaround_crasher_fractional_scaling.patch So it don't have the public key (?) and so it don't check the package signature. But the package is build successfully... and signed. If an attacker change the source and package it with a wrong private key, it can have his "patch" applied to the signed binary packages? Ciao Davide
