[opensuse-security] Re: [security-announce] Package management security on SUSE Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-ID:
Several news sites recently published articles citing a report about attacks on package managers [1]. Some unfortunately chose a wording that could be misunderstood as if a rogue mirror server could trick YaST into installing malicious software when applying regular (security-)updates.
This is not the case. All official update repositories for SUSE Linux based products use cryptographically signed packages and meta data. YaST verifies the cryptographic signatures and rejects any file whose signature doesn't match. Therefore it's not possible for a rogue mirror to introduce malicious software.
Question, please: when a user adds a repository, he is asked to add its key first. Where from is this key imported, from the repository itself, from a central repo, or from the chain of HKP keyservers? Usually we simply click "accept", as there is no clear method of checking, trusting, and importing the key except by clicking "accept" when the repo is added. Perhaps Yast, or zypper, should include a key management module. Once the correct key is imported, it is obvious that a rogue repo would be detected. The problem IMO (I haven't read the report) is the key import phase. I understand you have a person studying this precise problem, so it will be nice to learn the conclusions :-) - -- Saludos Carlos E.R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIf+TZtTMYHG2NR9URAt2OAJ96iwAYGwDmhw94FuD3qtCcq2WDWwCgmVUl KfKLJrYfJmeMm8Do12KZ0QA= =vDm5 -----END PGP SIGNATURE-----
Carlos E. R. wrote:
when a user adds a repository, he is asked to add its key first. Where from is this key imported, from the repository itself, from a central repo, or from the chain of HKP keyservers? Usually we simply click "accept", as there is no clear method of checking, trusting, and importing the key except by clicking "accept" when the repo is added.
The key is imported from the repo itself (repomd.xml.key). You are right that there currently is no satisfactory way to initially verify the key. A special view on build.opensuse.org could fix that but is not there yet. :-(
Perhaps Yast, or zypper, should include a key management module.
We openened a feature request for that some time ago already but it's not implemented yet. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2008-07-18 at 10:09 +0200, Ludwig Nussel wrote:
Carlos E. R. wrote:
when a user adds a repository, he is asked to add its key first. Where from is this key imported, from the repository itself, from a central repo, or from the chain of HKP keyservers? Usually we simply click "accept", as there is no clear method of checking, trusting, and importing the key except by clicking "accept" when the repo is added.
The key is imported from the repo itself (repomd.xml.key). You are right that there currently is no satisfactory way to initially verify the key. A special view on build.opensuse.org could fix that but is not there yet. :-(
Perhaps Yast, or zypper, should include a key management module.
We openened a feature request for that some time ago already but it's not implemented yet.
Ok, so its on the way, we'll wait. Thanks for the info :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIgGkvtTMYHG2NR9URAs1tAJ94l8+eS0g8BxwZ0bYMRVVEZguvbgCcD2xM +Eu1W9e9Xcw3wCLhPrEJP1Y= =6wVp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
What about using wwwkeys.pgp.net? We'd get all the benefits - key signing, etc. Perhaps this should be looked at for 11.1, or .2? Jonathon M. Robison "There are 10 kinds of people in the world. Those who understand binary, and those who don't" On Fri, 2008-07-18 at 10:09 +0200, Ludwig Nussel wrote:
Carlos E. R. wrote:
when a user adds a repository, he is asked to add its key first. Where from is this key imported, from the repository itself, from a central repo, or from the chain of HKP keyservers? Usually we simply click "accept", as there is no clear method of checking, trusting, and importing the key except by clicking "accept" when the repo is added.
The key is imported from the repo itself (repomd.xml.key). You are right that there currently is no satisfactory way to initially verify the key. A special view on build.opensuse.org could fix that but is not there yet. :-(
Perhaps Yast, or zypper, should include a key management module.
We openened a feature request for that some time ago already but it's not implemented yet.
cu Ludwig
Hello, Am Freitag, 18. Juli 2008 schrieb Jonathon M. Robison:
What about using wwwkeys.pgp.net? We'd get all the benefits - key signing, etc.
Quoting http://wiki.linuxtag.org/w/Keysigning The only keyservers you should use are either subkeys.pgp.net or random.sks.keyserver.penguin.de, if you insist. Any of the keyservers in these clusters are fine. Please do not use other keyservers, like keyserver.net or wwwkeys.pgp.net: They all mangle keys in various ways including, but not limited to: dropping subkeys, moving binding sigs around between subkeys, duplicating user ids, modifying signature subpackets (dropping non-hashed data), calculating KeyIDs wrong (for v4 RSA keys), rejecting keys with attribute UIDs (such as photo ids), or they don't sync with the rest of the network. That said: There's nothing wrong with using a keyserver - however I don't think that the signatures will be useful for YaST (except of the build service root key). Especially, I don't want to have all signing keys imported to my rpm keyring (needed to verify the signatures) because this would also mean that packages signed with these keys will be accepted... I think a two-way solution would be the best: - YaST downloads the keys from download.opensuse.org (or packman or whatever repository you use) - if someone wants to check a key more detailed, he can download him from a keyserver, including all signatures and compare the fingerprint with the fingerprint displayed by YaST. The only disadvantage is that this method causes some manual work (download the key from a keyserver and compare the fingerprint with the one YaST displays). But security always has a price ;-) Regards, Christian Boltz --
[...] if the installation of a stupid package failed, [...] AFAIK there is no package named `stupid'. [> Raphael Schillings and Michael Gross in https://bugzilla.novell.com/show_bug.cgi?id=147588]
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-07-19 at 00:18 +0200, Christian Boltz wrote:
That said: There's nothing wrong with using a keyserver - however I don't think that the signatures will be useful for YaST (except of the build service root key). Especially, I don't want to have all signing keys imported to my rpm keyring (needed to verify the signatures) because this would also mean that packages signed with these keys will be accepted...
I think a two-way solution would be the best: - YaST downloads the keys from download.opensuse.org (or packman or whatever repository you use) - if someone wants to check a key more detailed, he can download him from a keyserver, including all signatures and compare the fingerprint with the fingerprint displayed by YaST.
The only disadvantage is that this method causes some manual work (download the key from a keyserver and compare the fingerprint with the one YaST displays). But security always has a price ;-)
I think that, when yast or zypper adds a repo that has a signature that is not already imported, it should fire a new module that handles key importing and signing. It could be from the existing key servers, or from a specific key server at suse. Or at least, an "add repo module", that could display more info, like a description of the repo, list of persons responsible for it, signature keys, software they maintain there, etc. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIgxNZtTMYHG2NR9URAubDAJ9PLUCUwJQXq3Hm9HwGPkLDEm9WawCeO52F fLt0GRWYJYDVgolmWKOU6zs= =a1Y+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sun, Jul 20, 2008 at 12:28:38PM +0200, Carlos E. R. wrote:
The Saturday 2008-07-19 at 00:18 +0200, Christian Boltz wrote:
That said: There's nothing wrong with using a keyserver - however I don't think that the signatures will be useful for YaST (except of the build service root key). Especially, I don't want to have all signing keys imported to my rpm keyring (needed to verify the signatures) because this would also mean that packages signed with these keys will be accepted...
I think a two-way solution would be the best: - YaST downloads the keys from download.opensuse.org (or packman or whatever repository you use) - if someone wants to check a key more detailed, he can download him from a keyserver, including all signatures and compare the fingerprint with the fingerprint displayed by YaST.
The only disadvantage is that this method causes some manual work (download the key from a keyserver and compare the fingerprint with the one YaST displays). But security always has a price ;-)
I think that, when yast or zypper adds a repo that has a signature that is not already imported, it should fire a new module that handles key importing and signing. It could be from the existing key servers, or from a specific key server at suse.
Or at least, an "add repo module", that could display more info, like a description of the repo, list of persons responsible for it, signature keys, software they maintain there, etc.
We are trying to do such a module/dialog, but so far we have not had good ideas on how to do it. Some kind of draft work would be welcome. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-07-20 at 12:33 +0200, Marcus Meissner wrote:
Or at least, an "add repo module", that could display more info, like a description of the repo, list of persons responsible for it, signature keys, software they maintain there, etc.
We are trying to do such a module/dialog, but so far we have not had good ideas on how to do it.
Some kind of draft work would be welcome.
Dunno... you know that there are some programs that do some key checking, like seahorse, kgpg, and a module in mozilla, if I remember correctly. Some of that functionality could be used, but that's an overkill; maybe calling one of them with appropriate options for some of the handling :-? Dunno, that goes outside my knowledge, I can't think of details for that module; only that it would be nice to have it :-) perhaps: view/list keys sign keys edit trust level of a key check/update trust chain import keys [by id from keyserver / from repo] remove key edit comments on key add/remove/edit keyserver see repo description (into add repo module? when importing key from repo?) But you already know this, I suppose. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIg+E0tTMYHG2NR9URAkScAJ9TvdxTnxQrKXtkoo7G1DWJhYKzJwCfXbsj iy9ZjN8KwW185XzWGTrNDkQ= =RFqr -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (6)
-
Carlos E. R.
-
Carlos E. R.
-
Christian Boltz
-
Jonathon M. Robison
-
Ludwig Nussel
-
Marcus Meissner