Re: Is [binary] package signing planned?
On Wed, Feb 05, 2014 at 03:59:57PM -0200, Giancarlo Razzolini wrote: Em 04-02-2014 18:03, Marc Espie escreveu: I *encourage* you guys to read signify and pkg_add code and poke holes in them! I did read both last night. Signify is very easy and straightforward to understand. I wasn't really poking for holes, more for understanding than that. The pkg part is a lot more code and I didn't read them all yet. No kidding. It's cool we have signify, but the pkg_add code was a lot more effort over quite a few more years :)
Re: Is [binary] package signing planned?
Em 04-02-2014 18:03, Marc Espie escreveu: I *encourage* you guys to read signify and pkg_add code and poke holes in them! I did read both last night. Signify is very easy and straightforward to understand. I wasn't really poking for holes, more for understanding than that. The pkg part is a lot more code and I didn't read them all yet. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Is [binary] package signing planned?
Hi. I'm seeing, in this mailing list, much talk about the datagate and related matters, and I can see why the topic may be of interest to many OpenBSD users. Anyway, I really like OpenBSD, but I always restrain myself from using it on a desktop machine for a single reason: while pkg_add supports signed packages, those provided by the OpenBSD project aren't. You can easily find other similar complaints on the internet... but I really fail to understand why the project isn't providing signed packages, when there is already support for it. Why do signed packages matter? Well, I can fetch the ports tree in a secure way, verify its integrity and origin, and then ports definitions contain source packages hashes. I like the idea and the flexibility, but on desktop computers, it may be undesirable to compile software, especially big suites like X, Gnome, Firefox, LibreOffice. This gets even worse when the desktop is a laptop computer, like in my case. I won't use unsigned packages, because there's a concrete risk of corruption, I don't know if I should trust the mirror, and even with the official OpenBSD mirrors... it's easy, really easy, for someone to run an http/ftp MITM on me and give me a backdoored, or trojaned, binary package. Not only on a free WiFi, on a hotel, abroad, but even using a secure connection, it's easy for the isp, or the government, to just give me a bad bash package, and gain root in a clap of hands. Then, the datagate revealed how it's easy to modify stream in between: if there are people capable of intercepting someone request to linkedin on a rogue router in the path, and immediately give back a page that contains a browser exploit, before the real site can produce a response, how it's easy to intercept, say, a pkg_add update to an openbsd mirror and give back a backdoored package? I'm not talking only about the five eyes, any government, even private entities, are capable of this. That's the reason why almost all gnu/linux distributions sign packages. Even other *BSD distributions are starting to adopt signed binary packages: pkg(ng), on freebsd, checks that the repository signature is made with the right key. It calculates the public key's hash, and confronts it with the hash present in /usr/share/keys/pkg/trusted/. The repository definition contains a list of packages' hashes, which is the signed part. Every package provides a signature of all files provided. TL;DR: pkgng is totally signed. and pkg_add, as I already stated, while it doesn't have the concept of a repository, still supports individually signed packages. What is holding the OpenBSD project from implementing signed binary packages, and, is it planned?
Re: Is [binary] package signing planned?
Signing of base and package tarballs has been implemented in current, and will be included in the next release. -Otto On Tue, Feb 04, 2014 at 02:00:35PM +0100, Kim Twain wrote: Hi. I'm seeing, in this mailing list, much talk about the datagate and related matters, and I can see why the topic may be of interest to many OpenBSD users. Anyway, I really like OpenBSD, but I always restrain myself from using it on a desktop machine for a single reason: while pkg_add supports signed packages, those provided by the OpenBSD project aren't. You can easily find other similar complaints on the internet... but I really fail to understand why the project isn't providing signed packages, when there is already support for it. Why do signed packages matter? Well, I can fetch the ports tree in a secure way, verify its integrity and origin, and then ports definitions contain source packages hashes. I like the idea and the flexibility, but on desktop computers, it may be undesirable to compile software, especially big suites like X, Gnome, Firefox, LibreOffice. This gets even worse when the desktop is a laptop computer, like in my case. I won't use unsigned packages, because there's a concrete risk of corruption, I don't know if I should trust the mirror, and even with the official OpenBSD mirrors... it's easy, really easy, for someone to run an http/ftp MITM on me and give me a backdoored, or trojaned, binary package. Not only on a free WiFi, on a hotel, abroad, but even using a secure connection, it's easy for the isp, or the government, to just give me a bad bash package, and gain root in a clap of hands. Then, the datagate revealed how it's easy to modify stream in between: if there are people capable of intercepting someone request to linkedin on a rogue router in the path, and immediately give back a page that contains a browser exploit, before the real site can produce a response, how it's easy to intercept, say, a pkg_add update to an openbsd mirror and give back a backdoored package? I'm not talking only about the five eyes, any government, even private entities, are capable of this. That's the reason why almost all gnu/linux distributions sign packages. Even other *BSD distributions are starting to adopt signed binary packages: pkg(ng), on freebsd, checks that the repository signature is made with the right key. It calculates the public key's hash, and confronts it with the hash present in /usr/share/keys/pkg/trusted/. The repository definition contains a list of packages' hashes, which is the signed part. Every package provides a signature of all files provided. TL;DR: pkgng is totally signed. and pkg_add, as I already stated, while it doesn't have the concept of a repository, still supports individually signed packages. What is holding the OpenBSD project from implementing signed binary packages, and, is it planned?
Re: Is [binary] package signing planned?
Kim Twain kimtwa...@gmail.com wrote: Well, I can fetch the ports tree in a secure way, verify its integrity and origin, You can? How? -- Christian naddy Weisgerber na...@mips.inka.de
Re: Is [binary] package signing planned?
On Tue, Feb 04, 2014 at 03:41:09PM +0100, Daniel Cegie?ka wrote: 2014-02-04 Kim Twain kimtwa...@gmail.com: Does pkg_add automatically check these signatures, or, as of now, I'd need to manually download the packages, verify them with signify and then install them locally with pkg_add? from man pkg: If a package is digitally signed: o pkg_add checks that its packing-list is not corrupted and matches the cryptographic signature stored within. o pkg_add verifies that the signature was emitted by a valid user certificate, signed by one of the authorities in /etc/ssl/pkgca.pem o pkg_add verifies that each file matches its sha256 checksum right after extraction, before doing anything with it. o pkg_add verifies that any dangerous mode or owner is registered in the packing-list. more: http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_addapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html Daniel I believe that in -current, the pubkey comes from /etc/signify. -Otto
Re: Is [binary] package signing planned?
2014-02-04 Kim Twain kimtwa...@gmail.com: Does pkg_add automatically check these signatures, or, as of now, I'd need to manually download the packages, verify them with signify and then install them locally with pkg_add? from man pkg: If a package is digitally signed: o pkg_add checks that its packing-list is not corrupted and matches the cryptographic signature stored within. o pkg_add verifies that the signature was emitted by a valid user certificate, signed by one of the authorities in /etc/ssl/pkgca.pem o pkg_add verifies that each file matches its sha256 checksum right after extraction, before doing anything with it. o pkg_add verifies that any dangerous mode or owner is registered in the packing-list. more: http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_addapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html Daniel
Re: Is [binary] package signing planned?
2014-02-04 Otto Moerbeek o...@drijf.net: On Tue, Feb 04, 2014 at 03:41:09PM +0100, Daniel Cegie?ka wrote: I believe that in -current, the pubkey comes from /etc/signify. -Otto yes, but man pkg_sign: -s signify|x509 [-s cert] -s privkey Specify signature parameters for signed packages. Option parameters are as follows: signify|x509choose signify(1) or X.509-style signatures. certthe path to the signer's certificate (X.509 only) privkey the path to the signer's private key. For signify, the private key name is used to set the @signer annotation. If a corresponding public key is found, the first signatures will be checked for key mismatches. For X.509, the signer's certificate and the signer's private key should be generated using standard openssl x509 commands. This assumes the existence of a certificate authority (or several), whose public information is recorded as a /etc/ssl/pkgca.pem file. http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_signapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html I like signify, it is simple, small and secure (Ed25519). Best, Daniel
Re: Is [binary] package signing planned?
2014-02-04 Kim Twain kimtwa...@gmail.com: Does pkg_add automatically check these signatures, or, as of now, I'd need to manually download the packages, verify them with signify and then install them locally with pkg_add? In -current, if you don't use any flags to pkg_add, and you don't see any message at the end, the packages were signed and verified. (and by default, post 5.5, pkg_add will probably error out if the packages are not signed if you don't use -Dunsigned !) Maybe you're already using signed packages and haven't noticed. (there were two or hiccups in some snapshots, but apart from that, things have been working great). Getting a streamlined process WAS the difficult part in getting signed packages out, NOT the technical feat of having signed packages... After all, pkg_create/pkg_add has known how to sign stuff for 3 years by now. signify(1) makes things more transparent: no chain of trust, pure keys. One cool thing is that the signatures are small enough that they can be embedded directly in the package (which already has sha256 for everything). This has the advantage of decentralization: package snapshots can be partially synchronized, and still each package carries its own signature. Less margin for strange errors - stuff that works most of the time - more trustworthy. Remember that message about ssh keys that changed that you used to get when admins weren't savvy about getting keys around, or all those self-signed https certificates you've been trained to ignore ? signatures are the same. if they're not 100% present by default, people will be trained to ignore them. If you think security is a technicality, you only have 1/3rd of the story.Getting the process right and making sure the users don't do anything stupid is the right part.
Re: Is [binary] package signing planned?
On 4 February 2014 11:25, Marc Espie es...@nerim.net wrote: 2014-02-04 Kim Twain kimtwa...@gmail.com: Does pkg_add automatically check these signatures, or, as of now, I'd need to manually download the packages, verify them with signify and then install them locally with pkg_add? In -current, if you don't use any flags to pkg_add, and you don't see any message at the end, the packages were signed and verified. (and by default, post 5.5, pkg_add will probably error out if the packages are not signed if you don't use -Dunsigned !) Maybe you're already using signed packages and haven't noticed. (there were two or hiccups in some snapshots, but apart from that, things have been working great). Getting a streamlined process WAS the difficult part in getting signed packages out, NOT the technical feat of having signed packages... After all, pkg_create/pkg_add has known how to sign stuff for 3 years by now. signify(1) makes things more transparent: no chain of trust, pure keys. One cool thing is that the signatures are small enough that they can be embedded directly in the package (which already has sha256 for everything). This has the advantage of decentralization: package snapshots can be partially synchronized, and still each package carries its own signature. Less margin for strange errors - stuff that works most of the time - more trustworthy. Remember that message about ssh keys that changed that you used to get when admins weren't savvy about getting keys around, or all those self-signed https certificates you've been trained to ignore ? signatures are the same. if they're not 100% present by default, people will be trained to ignore them. If you think security is a technicality, you only have 1/3rd of the story.Getting the process right and making sure the users don't do anything stupid is the right part. Maybe even the hard part. insert sisyphus reference of choice here Ken
Re: Is [binary] package signing planned?
Em 04-02-2014 14:25, Marc Espie escreveu: making sure the users don't do anything stupid is the right part. As it has always been. People do stupid things. Even when they're not expected to. People who cares about signed packages will go on further to verify things. If you care, do your homework. People who do not care, will blindly trust or not even know that things are signed. That's the beauty of signify. It works for both the stupid and the smart. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Is [binary] package signing planned?
Thanks. I tried 5.5 on my laptop and as I said, it works, even better than freebsd 10, despite being a beta. I will switch to openbsd with the release. The only other problem is that I have external/ultrabay hdds that use lvm2, and I'll have to migrate the data, I think. Anyway, while it's fine to only warn the user in case of an invalid signature, it would be nice to somehow inform him of the fact that packages are signed, are being verified (outside of the man page), and that they passed signature checks, like, for example, yum does. After all, https informs the user of its use, via the extra S, a lock, a green bar. SSH is implicitly secure, and exposes the server's fingerprint. Not providing positive feedback might trick the user into thinking that packages are being installed securely while working with old or misconfigured systems Il martedì 4 febbraio 2014, Marc Espie es...@nerim.net ha scritto: 2014-02-04 Kim Twain kimtwa...@gmail.com javascript:;: Does pkg_add automatically check these signatures, or, as of now, I'd need to manually download the packages, verify them with signify and then install them locally with pkg_add? In -current, if you don't use any flags to pkg_add, and you don't see any message at the end, the packages were signed and verified. (and by default, post 5.5, pkg_add will probably error out if the packages are not signed if you don't use -Dunsigned !) Maybe you're already using signed packages and haven't noticed. (there were two or hiccups in some snapshots, but apart from that, things have been working great). Getting a streamlined process WAS the difficult part in getting signed packages out, NOT the technical feat of having signed packages... After all, pkg_create/pkg_add has known how to sign stuff for 3 years by now. signify(1) makes things more transparent: no chain of trust, pure keys. One cool thing is that the signatures are small enough that they can be embedded directly in the package (which already has sha256 for everything). This has the advantage of decentralization: package snapshots can be partially synchronized, and still each package carries its own signature. Less margin for strange errors - stuff that works most of the time - more trustworthy. Remember that message about ssh keys that changed that you used to get when admins weren't savvy about getting keys around, or all those self-signed https certificates you've been trained to ignore ? signatures are the same. if they're not 100% present by default, people will be trained to ignore them. If you think security is a technicality, you only have 1/3rd of the story.Getting the process right and making sure the users don't do anything stupid is the right part.
Re: Is [binary] package signing planned?
On Tue, Feb 04, 2014 at 05:40:38PM +0100, Kim Twain wrote: Thanks. I tried 5.5 on my laptop and as I said, it works, even better than freebsd 10, despite being a beta. I will switch to openbsd with the release. The only other problem is that I have external/ultrabay hdds that use lvm2, and I'll have to migrate the data, I think. Anyway, while it's fine to only warn the user in case of an invalid signature, it would be nice to somehow inform him of the fact that packages are signed, are being verified (outside of the man page), and that they passed signature checks, like, for example, yum does. After all, https informs the user of its use, via the extra S, a lock, a green bar. You can check that things are alright by using pkg_info -C
Re: Is [binary] package signing planned?
On Tue, Feb 04, 2014 at 02:38:11PM -0200, Giancarlo Razzolini wrote: Em 04-02-2014 14:25, Marc Espie escreveu: making sure the users don't do anything stupid is the right part. As it has always been. People do stupid things. Even when they're not expected to. People who cares about signed packages will go on further to verify things. If you care, do your homework. People who do not care, will blindly trust or not even know that things are signed. That's the beauty of signify. It works for both the stupid and the smart. That's the motto secure by default. Does also mean try to make sure things are reasonable by default, and that people will naturally do not stupid things. (e.g., https is not reasonable. By default, you get to trust a metric shitload of authorities you really wouldn't want to trust)
Re: Is [binary] package signing planned?
Em 04-02-2014 15:04, Marc Espie escreveu: That's the motto secure by default. Does also mean try to make sure things are reasonable by default, and that people will naturally do not stupid things. (e.g., https is not reasonable. By default, you get to trust a metric shitload of authorities you really wouldn't want to trust) This is the main reason why I use OpenBSD. It does a hell of a great job in not letting the stupid shoot their own feet. And it has lots of flexibility for the smart ones tweaking it in anyway. One thing though, people have the tendency of trying to shoot their own feet, sometimes just for fun and other times because they will take a gun, assemble it, load it, and start playing around with it until it accidentally fires on their feet. For these, I really do not know what I'd say. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Is [binary] package signing planned?
2014-02-04 Marc Espie es...@nerim.net: signify(1) makes things more transparent: no chain of trust, pure keys. One cool thing is that the signatures are small enough that they can be embedded directly in the package (which already has sha256 for everything). This has the advantage of decentralization: package snapshots can be partially synchronized, and still each package carries its own signature. Less margin for strange errors - stuff that works most of the time - more trustworthy. wow!? really? And how can I be sure that the public key that I downloaded is exactly the same public key, which is stored on OpenBSD servers (MITM)? signify is a step in the right direction but does not fix anything. We need trusted key distribution (or verification) for signify - without it we will being stuck on the same shit (but successfully verified). best regards, Daniel
Re: Is [binary] package signing planned?
On 02/04/2014 01:11 PM, Daniel Cegiełka wrote: 2014-02-04 Marc Espie es...@nerim.net: signify(1) makes things more transparent: no chain of trust, pure keys. One cool thing is that the signatures are small enough that they can be embedded directly in the package (which already has sha256 for everything). This has the advantage of decentralization: package snapshots can be partially synchronized, and still each package carries its own signature. Less margin for strange errors - stuff that works most of the time - more trustworthy. wow!? really? And how can I be sure that the public key that I downloaded is exactly the same public key, which is stored on OpenBSD servers (MITM)? You can't. But at least that's transparent, rather than obfuscated somewhere down a chain of trust. -- Matthew Weigel hacker unique idempot . ent
Re: Is [binary] package signing planned?
On Tue, Feb 04, 2014 at 04:11:15PM -0200, Giancarlo Razzolini wrote: Em 04-02-2014 15:04, Marc Espie escreveu: That's the motto secure by default. Does also mean try to make sure things are reasonable by default, and that people will naturally do not stupid things. (e.g., https is not reasonable. By default, you get to trust a metric shitload of authorities you really wouldn't want to trust) This is the main reason why I use OpenBSD. It does a hell of a great job in not letting the stupid shoot their own feet. And it has lots of flexibility for the smart ones tweaking it in anyway. One thing though, people have the tendency of trying to shoot their own feet, sometimes just for fun and other times because they will take a gun, assemble it, load it, and start playing around with it until it accidentally fires on their feet. For these, I really do not know what I'd say. Like the chinese curse goes may you live in interesting times. I'd try to convince them to switch to FOO-BSD, so that they go annoy the developers of FOO. (unless their attempts at stupidity are madly entertaining, in which case those crackpots^Wpeople are welcome to stay.)
Re: Is [binary] package signing planned?
Em 04-02-2014 17:23, Marc Espie escreveu: Like the chinese curse goes may you live in interesting times. I'd try to convince them to switch to FOO-BSD, so that they go annoy the developers of FOO. (unless their attempts at stupidity are madly entertaining, in which case those crackpots^Wpeople are welcome to stay.) They generally are entertaining. Reading misc@ sometimes is pure comedy. From the top of my mind and recently there was the case of the crackpot that was offended by the mails on the spamd man page. Man that was a very funny thread. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Is [binary] package signing planned?
On Tue, Feb 04, 2014 at 08:11:28PM +0100, Daniel Cegie?ka wrote: 2014-02-04 Marc Espie es...@nerim.net: signify(1) makes things more transparent: no chain of trust, pure keys. One cool thing is that the signatures are small enough that they can be embedded directly in the package (which already has sha256 for everything). This has the advantage of decentralization: package snapshots can be partially synchronized, and still each package carries its own signature. Less margin for strange errors - stuff that works most of the time - more trustworthy. wow!? really? And how can I be sure that the public key that I downloaded is exactly the same public key, which is stored on OpenBSD servers (MITM)? signify is a step in the right direction but does not fix anything. We need trusted key distribution (or verification) for signify - without it we will being stuck on the same shit (but successfully verified). Sigh... the public key is part of BASE, not part of the package, of course. You can't be sure. How can you be sure ? meet Theo, ask him whether the fingerprint for the public key you have is the correct one. But how can you be sure that's Theo ? or me for that matter ? See ? that's the whole problem with trust. Simplest solution for that is to tell you like it is: you don't really exist, my friend. We're just figments of your imagination.
Re: Is [binary] package signing planned?
Em 04-02-2014 17:11, Daniel Cegiełka escreveu: 2014-02-04 Marc Espie es...@nerim.net: wow!? really? And how can I be sure that the public key that I downloaded is exactly the same public key, which is stored on OpenBSD servers (MITM)? signify is a step in the right direction but does not fix anything. We need trusted key distribution (or verification) for signify - without it we will being stuck on the same shit (but successfully verified). best regards, Daniel Daniel, Your regards were expressed by many others, including me, both here and on tech@. There is no solution for this problem. Unless you copy the original key file from the machine it was created. There are some ways to mitigate this though. DNSSEC is one of the things that can be done. They mentioned on tech@, printing the keys on t-shirts. You can buy the cd's. There is also TLS. I do download and verify things using many internet links from different locations just to be sure I'm getting the original version and it was not tampered along the way. You could do all of these things. But ultimately you have to either trust or not. Your mileage may vary. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Is [binary] package signing planned?
I agree with the fact that we have no solution to this problem, and probably will not find it quickly (or ever). I do not want to shout that now we have to do something. I want to make people aware that even with signify still need to keep limited trust. best, Daniel
Re: Is [binary] package signing planned?
Em 04-02-2014 17:37, Daniel Cegiełka escreveu: I agree with the fact that we have no solution to this problem, and probably will not find it quickly (or ever). I do not want to shout that now we have to do something. I want to make people aware that even with signify still need to keep limited trust. best, Daniel You do not need to do this. The people who cares about this, know that there is no solution. And do not delude yourself thinking that there will ever be one. There are many attacks that even with signed packages, base, whatever, are possible and can be way more damaging. The evil developer attack, Trusting trust issues, etc. There are lots of vectors an operational system can be entirely compromised, before it's even installed on your machine. And since it's an OS, there can't even be deterministic builds, perhaps just of some binaries in base, for some platforms, never of the kernel itself. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Is [binary] package signing planned?
On Tue, Feb 04, 2014 at 05:57:21PM -0200, Giancarlo Razzolini wrote: Em 04-02-2014 17:37, Daniel Cegie??ka escreveu: I agree with the fact that we have no solution to this problem, and probably will not find it quickly (or ever). I do not want to shout that now we have to do something. I want to make people aware that even with signify still need to keep limited trust. best, Daniel You do not need to do this. The people who cares about this, know that there is no solution. And do not delude yourself thinking that there will ever be one. There are many attacks that even with signed packages, base, whatever, are possible and can be way more damaging. The evil developer attack, Trusting trust issues, etc. There are lots of vectors an operational system can be entirely compromised, before it's even installed on your machine. And since it's an OS, there can't even be deterministic builds, perhaps just of some binaries in base, for some platforms, never of the kernel itself. I *encourage* you guys to read signify and pkg_add code and poke holes in them!
