Bug#724744: 'apt-get source' does not stop if signatures can't be checked
Control: severity -1 wishlist
On Fri, Sep 27, 2013 at 2:05 PM, Eduard - Gabriel Munteanu
<edgmnt@gmail.com> wrote:
> Source packages are signed, therefore it's fair to expect 'apt-get
> source' to enforce signature verification. But it merely prints a
> warning and continues if it can't check a signature because of a missing
> key (e.g. when you forgot to install the developer keyring). This seems
> to be caused by dpkg-source needing the --require-valid-signature option
> to enable strict checking (*).
APT doesn't need to validate the signature of the source package to ensure
it is indeed the source package the maintainer uploaded.
The signature is used by dak (and other repository creators) to ensure what
they get is coming indeed from someone they trust. Only if that is the case
it is integrated into the archive.
In the archive the files are indexed with their checksums in the Sources
file, which is itself indexed in the (In)Release file which is (clear)signed
by the maintainers of the repository: A key APT has available (which changes
a lot less than the keys of people allowed to upload source packages as
DDs get accepted and retire all the time and not to forget DMs … – also,
those people can retire and therefore be removed from the keyrings, but
their uploaded packages aren't magically invalid now).
So given that we know the signature of the Release file is correct, we know
that the checksums for Sources is correct and hence we can use the checksums
included in that file to verify the integrity of files we download.
No need to require all users to download multiple multi-MB big keyrings they
have to constantly keep up-to-date just for such a basic operation.
(I have the strong feeling that this is a duplicate, but I have no time now
to check, just wanted to remove the RC-bug indicator so nobody is scared.)
Best regards
David Kalnischkies
On Fri, Sep 27, 2013 at 2:05 PM, Eduard - Gabriel Munteanu
<edgmnt@gmail.com> wrote:
> Package: apt
> Version: 0.9.7.9
> Severity: grave
> Tags: security
>
> Source packages are signed, therefore it's fair to expect 'apt-get
> source' to enforce signature verification. But it merely prints a
> warning and continues if it can't check a signature because of a missing
> key (e.g. when you forgot to install the developer keyring). This seems
> to be caused by dpkg-source needing the --require-valid-signature option
> to enable strict checking (*).
>
> Freenode's #debian suggested I should file a bug on 'apt' since it's the
> frontend, and set a 'wishlist' severity. However I decided to give it a
> 'grave' severity because Debian policy says that's appropriate when a
> package introduces a command that exposes the user accounts to attacks
> when ran ( http://release.debian.org/stable/rc_policy.txt ). I'm hoping
> this gets treated more seriously than 'wishlist' (**).
>
> The security hole in this case involves introducing a compromised source
> package on a Debian mirror. Then apt will happily take it, unpack it,
> patch stuff and possibly execute arbitrary code from it, without
> quitting if it can't check signatures. It breaks the reasonable
> assumption that the package manager will check source package signatures
> for official packages just as it checks binary packages.
>
> (*) I'd also argue --require-valid-signature is an incredibly poor
> default in itself, and that's what should be fixed. It essentially makes
> security a long option to a core Debian command and it's off by default.
>
> (**) I should remind you my somewhat related #722906 issue on downloads
> being exceedingly difficult to check correctly from non-Debian machines
> also got a 'wishlist' status (initially 'important' and not tagged as a
> security issue) and had its subject change to something more benign.
> I'm hoping my report was misunderstood.
>
>
> --
> To UNSUBSCRIBE, email to deity-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20130927120511.GA3406@home">http://lists.debian.org/[🔎] 20130927120511.GA3406@home
>
Reply to: