[opensuse-security] ISO Signatures
Greetings, Could you please publish signatures for the 11.0 ISOs at release? I believe they were never published for 10.3, I never got a reply to my question on the subject[0]. I hope it does not take someone distributing a CD image with a goatse bootloader and the same md5sum for this to be done. __ [0] http://lists.opensuse.org/opensuse-security/2007-10/msg00001.html -- Benjamin Weber --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sat, Jun 14, 2008 at 09:22:45AM +0100, Benji Weber wrote:
Greetings,
Could you please publish signatures for the 11.0 ISOs at release? I believe they were never published for 10.3, I never got a reply to my question on the subject[0].
I hope it does not take someone distributing a CD image with a goatse bootloader and the same md5sum for this to be done.
__ [0] http://lists.opensuse.org/opensuse-security/2007-10/msg00001.html
Well, I read your email and there also was a bugreport. I have asked the people at the time to do so and they agreed to ;) Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-06-14 at 09:22 +0100, Benji Weber wrote:
Greetings,
Could you please publish signatures for the 11.0 ISOs at release? I believe they were never published for 10.3, I never got a reply to my question on the subject[0].
I hope it does not take someone distributing a CD image with a goatse bootloader and the same md5sum for this to be done.
__ [0] http://lists.opensuse.org/opensuse-security/2007-10/msg00001.html
I'm sorry, I don't quite understand. The checksum for the ISO file checks the entire ISO file including the bootloader, so I don't see how the bootloader can be altered and the iso still pass the test. Perhaps you mean altering the internal check process of the install DVD? I suppose that would be possible, and would be possible even if pgp signatures were used. The only safe procedure is to test the iso file or dvd externally.. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIU59TtTMYHG2NR9URAt44AJ4vcV70pLaiwmbfa3hjw2PNrZCPxwCfcQfa xGPGte6k0qVjp8POXSNoPQQ= =2kol -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
2008/6/14 Carlos E. R. <robin.listas@telefonica.net>:
I'm sorry, I don't quite understand. The checksum for the ISO file checks the entire ISO file including the bootloader, so I don't see how the bootloader can be altered and the iso still pass the test.
There are MD5SUMs here http://download.opensuse.org/distribution/10.3/iso/cd/MD5SUMS . However, md5 has various weaknesses and it is potentially possible to engineer a modified iso the same size with the same MD5SUM. Furthermore, the md5sums are not even signed, so it's difficult to be sure they are even correct. Since the bootloader can do anything to your system and is untrusted, it is potentially dangerous to boot from a downloaded openSUSE ISO. The contents file and others itself inside the ISO are signed. I believe it is possible to generate a fully trusted ISO by regenerating the bootloader from signed material. It would be much simpler just to publish signatures for the ISOs though. -- Benjamin Weber --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sat, Jun 14, 2008 at 12:44:47PM +0100, Benji Weber wrote:
2008/6/14 Carlos E. R. <robin.listas@telefonica.net>:
I'm sorry, I don't quite understand. The checksum for the ISO file checks the entire ISO file including the bootloader, so I don't see how the bootloader can be altered and the iso still pass the test.
There are MD5SUMs here http://download.opensuse.org/distribution/10.3/iso/cd/MD5SUMS . However, md5 has various weaknesses and it is potentially possible to engineer a modified iso the same size with the same MD5SUM. Furthermore, the md5sums are not even signed, so it's difficult to be sure they are even correct.
Since the bootloader can do anything to your system and is untrusted, it is potentially dangerous to boot from a downloaded openSUSE ISO. The contents file and others itself inside the ISO are signed. I believe it is possible to generate a fully trusted ISO by regenerating the bootloader from signed material. It would be much simpler just to publish signatures for the ISOs though.
I have cross checked the 11.0 staging area and there are both SHA1SUMS and MD5SUMS and all are signed by coolo. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-06-14 at 12:44 +0100, Benji Weber wrote:
2008/6/14 Carlos E. R. <robin.listas@telefonica.net>:
I'm sorry, I don't quite understand. The checksum for the ISO file checks the entire ISO file including the bootloader, so I don't see how the bootloader can be altered and the iso still pass the test.
There are MD5SUMs here http://download.opensuse.org/distribution/10.3/iso/cd/MD5SUMS . However, md5 has various weaknesses and it is potentially possible to engineer a modified iso the same size with the same MD5SUM. Furthermore, the md5sums are not even signed, so it's difficult to be sure they are even correct.
I see.
Since the bootloader can do anything to your system and is untrusted, it is potentially dangerous to boot from a downloaded openSUSE ISO. The contents file and others itself inside the ISO are signed. I believe it is possible to generate a fully trusted ISO by regenerating the bootloader from signed material. It would be much simpler just to publish signatures for the ISOs though.
Checking the signatures of the files is useless during installation from dvd, because the program that does the checking runs from the same dvd that could be potentially compromised. It has to be an overall signature and checked externally. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIVYr8tTMYHG2NR9URAp+MAJ9i5LLZCpOI3NnxTuGvjqnsw8ca4gCfSo0t QrY8V5sSQCjXEz5Ler1vEwM= =cXKo -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sat, Jun 14, 2008 at 09:22:45AM +0100, Benji Weber wrote:
Greetings,
Could you please publish signatures for the 11.0 ISOs at release? I believe they were never published for 10.3, I never got a reply to my question on the subject[0].
I hope it does not take someone distributing a CD image with a goatse bootloader and the same md5sum for this to be done.
__ [0] http://lists.opensuse.org/opensuse-security/2007-10/msg00001.html
-- Benjamin Weber
This is tracked here: https://bugzilla.novell.com/show_bug.cgi?id=381731 <Bug 381731 – *.iso downloads without *.asc containing gpg signature> Please hook in :-) Peter -- Contact: admin@opensuse.org (a.k.a. ftpadmin@suse.com) #opensuse-mirrors on freenode.net Info: http://en.opensuse.org/Mirror_Infrastructure SUSE LINUX Products GmbH Research & Development
participants (4)
-
Benji Weber -
Carlos E. R. -
Marcus Meissner -
Peter Poeml