[Bug 381731] New: *.iso downloads without *.asc containing gpg signature
https://bugzilla.novell.com/show_bug.cgi?id=381731 Summary: *.iso downloads without *.asc containing gpg signature Product: openSUSE 11.0 Version: Beta 1 Platform: All OS/Version: openSUSE 11.0 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: novell.com-pnt@ladisch.de QAContact: qa@suse.de Found By: Beta-Customer To prevent man-in-the-middle attacks each OpenSUSE *.iso download file shall be accompanied by an *.asc file containing the gpg signature using key number 0x9c800aca: http://en.opensuse.org/SDB:Check_the_validity_of_a_SUSE_RPM_or_ISO_file http://de.opensuse.org/SDB:Überprüfen_der_Signaturen_von_SUSE_RPM_oder_ISO-Dateien The *.asc files are missing in the OpenSUSE 11.0-Beta1 directories: http://download.opensuse.org/distribution/11.0-Beta1/iso/cd/ http://download.opensuse.org/distribution/11.0-Beta1/iso/torrent/ The download page does not provide a link to the *.asc files: http://de.opensuse.org/Entwicklerversion http://en.opensuse.org/Development_Version -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=381731
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c1
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=381731
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c2
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=381731
User ro@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c3
Ruediger Oertel
https://bugzilla.novell.com/show_bug.cgi?id=381731
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c4
--- Comment #4 from Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=381731
User suse-beta@cboltz.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c7
Christian Boltz
I think if we offer something like that, it needs to be done for deltas, live cds, etc.
Exactly. I'd even say that there should be a signature for every file on the openSUSE FTP server. (Except for files that already include a signature, like RPMs and repository metadata.)
So I would think twice - the SDB article is easily removed :)
Coolo, the request for having GPG signatures for all ISOs is not because Julian thinks you don't have enough work (at least I think so ;-) - it is to enhance the security. Currently, there are only MD5SUMS files for ISOs, stored in the same directory on the same server as the ISOs. This means that an attacker could upload manipulated ISO files and simply update the MD5SUMS file to make them look valid. GPG signatures would avoid this risk. (Users could even trust downloads from mirror.bundestrojaner.de ;-) BTW: Everything else (RPMs, repos) is already signed, so signing the ISOs is a missing part. And I'm quite sure that the additional workload is ways smaller (my guess: add some lines to the script that also generates the MD5SUMS file) than the work that was needed to implement signed repos ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=381731
User lrupp@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c8
--- Comment #8 from Lars Vogdt
https://bugzilla.novell.com/show_bug.cgi?id=381731
User poeml@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c9
--- Comment #9 from Peter Poeml
https://bugzilla.novell.com/show_bug.cgi?id=381731
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c10
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=381731
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c11
--- Comment #11 from Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=381731
User ro@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c12
Ruediger Oertel
https://bugzilla.novell.com/show_bug.cgi?id=381731
User poeml@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c13
--- Comment #13 from Peter Poeml
https://bugzilla.novell.com/show_bug.cgi?id=381731
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c14
--- Comment #14 from Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=381731
User suse-beta@cboltz.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c15
--- Comment #15 from Christian Boltz
We can force people to get the KEYS file and .asc files always from the origin site, and not from mirrors, by simply excluding them from our rsync modules, so that they are not mirrored.
I'm not sure if this is a good idea - it might cause some confusion ("huh? where are the GPG signatures?") and problems, for example for people downloading from a mirror using rsync or FTP (they will have to start a separate download for the .asc files). OTOH, downloading the .asc files from another server is not a problem as long as people download the keys from a trusted location. If someone really changed the .asc file, gpg will warn about it. You can (and should) exclude the KEYS and .asc files from redirection on download.opensuse.org through. You should also make sure that the keys are signed by some trusted keys (like the security team key) so that users can easily check if the key is the "real" one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=381731
User poeml@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c16
--- Comment #16 from Peter Poeml
https://bugzilla.novell.com/show_bug.cgi?id=381731
User novell.com-pnt@ladisch.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c17
--- Comment #17 from Julian Ladisch
https://bugzilla.novell.com/show_bug.cgi?id=381731
User cthiel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c18
Christoph Thiel
https://bugzilla.novell.com/show_bug.cgi?id=381731
User poeml@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c19
--- Comment #19 from Peter Poeml
https://bugzilla.novell.com/show_bug.cgi?id=381731
User ro@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c20
Ruediger Oertel
https://bugzilla.novell.com/show_bug.cgi?id=381731
User poeml@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c21
--- Comment #21 from Peter Poeml
https://bugzilla.novell.com/show_bug.cgi?id=381731
User lrupp@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c23
--- Comment #23 from Lars Vogdt
https://bugzilla.novell.com/show_bug.cgi?id=381731
User lrupp@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c24
Lars Vogdt
Can we please have something like the following?
http://www.apache.org/dist/httpd/
which is * individual detached signatures in .asc files * KEYS file in the same directory
What about a KEYS file that is just a HowTo like: http://httpd.apache.org/dev/verification.html and contains a link (resp. correct --recv-key option) to download the official public key? If this is ok for everyone: Can someone please write a good HowTo based on the URL above and (at least) the first three paragraphs of http://www.apache.org/dist/httpd/KEYS - so we can delete/enhance the SDB article and place this HowTo in the KEYS file? A first proposal is here: http://en.opensuse.org/Verifying_ISO-Images - please enhance/fix/tell me your opinion. Again: I like to use this text in the "KEYS" file in our download section for ISO images. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=381731
User novell.com-pnt@ladisch.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c25
Julian Ladisch
https://bugzilla.novell.com/show_bug.cgi?id=381731
User lrupp@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c26
Lars Vogdt
https://bugzilla.novell.com/show_bug.cgi?id=381731
User poeml@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=381731#c27
--- Comment #27 from Peter Poeml
participants (1)
-
bugzilla_noreply@novell.com