[opensuse-factory] Build service and checksums for source code archive verification
After reading reports about vulnerabilities in some FreeBSD tools for maintaining the Ports tree (in German) Ein anonymes Dokument beschreibt Sicherheitslücken in FreeBSD-Komponenten. http://www.golem.de/news/anonymes-dokument-angriffe-auf-den-freebsd-update-p... (the linked English text) NON-CRYPTANALYTIC ATTACKS AGAINST FREEBSD UPDATE COMPONENTS https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f some people are discussing (in German) about the possibility of similar issues in Linux software maintenance infrastructure. In short FreeBSD users download source code archives from public FTP/HTTP oder HTTPS servers automatically with Ports tools like a simple "make" in /usr/ports or with advanced tools like Portsnap. After download tools like Portsnap or Make verify the downloaded source archive against locally stored checksums and sizes in the Ports tree. For instance Bash (bash-4.3.tar.gz) and bash patches are verified against the locally stored file /usr/ports/shells/bash/distinfo: /usr/ports> cat shells/bash/distinfo TIMESTAMP = 1467096568 SHA256 (bash/bash-4.3.tar.gz) = afc687a28e0e24dc21b988fa159ff9dbcf6b7caa92ade8645cc6d5605cd024d4 SIZE (bash/bash-4.3.tar.gz) = 7955839 SHA256 (bash/bash43-001) = ecb3dff2648667513e31554b3ad054ccd89fce38e33367c9459ac3a285153742 SIZE (bash/bash43-001) = 1617 [...] openSUSE does not use a Ports system like FreeBSD. All source code archive downloads are handled by the package maintainer who uploads the archives to openSUSE build service or by service scripts which download source code archives automatically using a secured infrastructure in the build service. But I wonder how we check the integrity of source code archives in the openSUSE Build service? I never saw any checksums or PGP signatures in build service projects. Of course one problem is, that it's not always easy to find reliable checksums or signatures for any upstream project. Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, 2016-08-10 at 23:54 +0200, Bjoern Voigt wrote:
But I wonder how we check the integrity of source code archives in the openSUSE Build service? I never saw any checksums or PGP signatures in build service projects. Of course one problem is, that it's not always easy to find reliable checksums or signatures for any upstream project.
There are various levels used (at least for openSUSE:Factory - the farther away you get (devel / home:) the less those are given facts: * if a full URL is specified to a tarball, OBS will try to download it from there byitself and compare the tarball vs the one submitted by the users. If they do not match - it is declined (ensuring that what the user submits is what we would get from the upstream website) * If the package comes with GPG signatures, they are verified as well. For this, the packager has to add a .keyring file with the public key of the project in question (no global catalog maintained - package maintainers have the responsibility here) This is for example done in PackageKit: https://build.opensuse.org/package/show/openSUSE:Factory/PackageKit There you see next to the tarball a .keyring file (currently holds 2 public keys of the two main devs), a .asc file (the actual signature of the tarball) Whenever this package is being submitted to openSUSE:Factory, the signature is being verified. (osc build does the same locally, so you are always sure of good tarballs here). And as usual, the resulting rpm is signed with the repo key - which is basically what the user hopefully *can* trust... giving the indication that what he receives is what he is supposed to receive. IIRC, there is also support for sha checksum's, but I'd have to look it up. So at least for upstreams providing this information, we can 'easily' verify them when properly integrated into the package. But, as you said yourself: not all upstreams provide an easy method to validate it. And I don't think it makes sense if any packager is to produce checksum files - they can't be trusted much more than any random file on the internet. The package would barely have a chance to verify that his download of the tarball had not already been tampered with. Cheers, Dominique
There are various levels used (at least for openSUSE:Factory - the farther away you get (devel / home:) the less those are given facts:
* if a full URL is specified to a tarball, OBS will try to download it from there byitself and compare the tarball vs the one submitted by the users. If they do not match - it is declined (ensuring that what the user submits is what we would get from the upstream website) * If the package comes with GPG signatures, they are verified as well. For this, the packager has to add a .keyring file with the public key of the project in question (no global catalog maintained - package maintainers have the responsibility here) This is for example done in PackageKit: https://build.opensuse.org/package/show/openSUSE:Factory/PackageKit
There you see next to the tarball a .keyring file (currently holds 2 public keys of the two main devs), a .asc file (the actual signature of the tarball)
Whenever this package is being submitted to openSUSE:Factory, the signature is being verified. (osc build does the same locally, so you are always sure of good tarballs here).
And as usual, the resulting rpm is signed with the repo key - which is basically what the user hopefully *can* trust... giving the indication that what he receives is what he is supposed to receive.
IIRC, there is also support for sha checksum's, but I'd have to look it up. So at least for upstreams providing this information, we can 'easily' verify them when properly integrated into the package.
But, as you said yourself: not all upstreams provide an easy method to validate it. And I don't think it makes sense if any packager is to produce checksum files - they can't be trusted much more than any random file on the internet. The package would barely have a chance to verify that his download of the tarball had not already been tampered with. Thank you for the detailed information. So I see that the build service has the infrastructure to verify sources on a high and secure level (PGP). The problem I still see is, that not all important Factory packages have
Dominique Leuenberger / DimStar wrote: source code signatures and PGP keys. I think, SHA checksums can be used as a fallback solution if the upstream project does not offer PGP signatures for the source code archives. Every package maintainer can setup own SHA checksums after verification of the sources for instance against different mirrors and with infos from announcement posts. (Even with PGP maintainers can create own PGP signatures for foreign upstream packages. Of course, this sounds like a bad practice, but it's better then nothing.) I searched .keyring and .asc files in same random but important Factory example packages. "yes" means, that the packages are secured with PGP signatures. apache2: no bash: no coreutils: yes cryptsetup: yes glibc: yes gnutls: yes gpg2: yes kernel-source: no krb5: yes openssl: yes PackageKit: yes postfix: no rpm: no samba: yes vim: no xorg-x11-driver-input: no zypper: no Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Bjoern Voigt -
Dominique Leuenberger / DimStar