| 1 |
Hi, |
| 2 |
|
| 3 |
I am really unhappy with this addition. |
| 4 |
|
| 5 |
Another example for something that was not thought to the end and which |
| 6 |
was rushed and pushed to our users. Sorry for being late to this but any |
| 7 |
addition should really add a benefit. What is the benefit verify-sig is |
| 8 |
adding? |
| 9 |
|
| 10 |
When mgorny started to propose this in #-qa, he used the argument to |
| 11 |
improve security of Gentoo because we cannot know if every Gentoo |
| 12 |
developer is really verifying distfiles or just copying ebuild to new |
| 13 |
version and let `repoman commit` fetch the distfile and be done with the |
| 14 |
bump. While I agree with the idea in general, i.e. when you would be |
| 15 |
able to provide an automatism for that, that would be a great addition. |
| 16 |
|
| 17 |
But there is a problem. |
| 18 |
|
| 19 |
You cannot automate trust. |
| 20 |
|
| 21 |
And anyone who is trying to do that shows that he/she does not |
| 22 |
understand how signing works and because of the fact he/she will claim |
| 23 |
security was improved, security was actually lowered due to that. |
| 24 |
|
| 25 |
How is that? |
| 26 |
|
| 27 |
Because the statement you can get from a signature depends on the trust |
| 28 |
in the used key. I.e. you assume that the key used to create that |
| 29 |
signature is only accessible by the designated owner and that nobody |
| 30 |
else have access to it. In the moment you learn that somebody else |
| 31 |
gained access to that key, i.e. can create signatures using the same |
| 32 |
key, you can no longer trust that key. More important, you should start |
| 33 |
questioning previously seen signatures (if you take it serious you will |
| 34 |
distrust any files signed by that key and demand on a new signature with |
| 35 |
a new key where you managed to establish a new trust). |
| 36 |
|
| 37 |
Short excerpt: |
| 38 |
Code signing is nothing new. It is an important layer in Microsoft’s |
| 39 |
security defense. Even Apple is relying on signatures for their sandbox |
| 40 |
they introduced some years ago. But does a signature prevent anything? |
| 41 |
Of course not. StuxNet was signed with a valid signature from Realtek |
| 42 |
Semiconductor Corp. and switched later to a signature which belongs to |
| 43 |
JMicron Technology Corp when Realtek’s signature got revoked. A |
| 44 |
post-mortem analysis suggested that cybercriminals compromised both |
| 45 |
organizations and have stolen their development certificates, including |
| 46 |
the private keys used to sign the executables. In 2014, when Sony |
| 47 |
Pictures got hacked, attackers had signed the malware with valid |
| 48 |
certificates from *Sony*. But that is only the tip of the iceberg, see |
| 49 |
https://attack.mitre.org/techniques/T1553/002/ for more examples. My |
| 50 |
point here is, and I believe we all agree on this, that signatures alone |
| 51 |
are meaningless. |
| 52 |
|
| 53 |
To add a meaning to signatures you must trust the signer that he/she |
| 54 |
will immediately revoke the certificate once he/she gets aware that an |
| 55 |
unauthorized third party gained access to the certificate. If we, for an |
| 56 |
unknown reason, assume that this will happen, we will face another |
| 57 |
problem: We must receive this information. If we do not know that |
| 58 |
something has happened to the key, we will not take any actions. |
| 59 |
I guess you all still remember how you created your GPG key for Gentoo, |
| 60 |
don’t you? Do you still have access to the revocation certificate you |
| 61 |
created during that process? I am sure you do. But do you know how this |
| 62 |
process works? Right, you need to upload that certificate to a key |
| 63 |
server. But then 2019 happened. Key servers are dead now. You can no |
| 64 |
longer rely on key servers, especially not that once you have uploaded |
| 65 |
your revocation certificate that it will spread and reach users. Just do |
| 66 |
an easy exercise: Check who committed to Gentoo repository in past 6 |
| 67 |
months. Now try to fetch the GPG key of all committers without using |
| 68 |
*.gentoo.org. Good luck! And no, WKD cannot help you with that (revocation). |
| 69 |
|
| 70 |
Coming back to my initial statement that it is all about automatization. |
| 71 |
|
| 72 |
The whole idea started with assumption that not every developer will |
| 73 |
verify the distfile (an assumption I share). But why should we trust |
| 74 |
these developers that they will keep an eye on upstream’s used |
| 75 |
certificate instead? That does not make any sense for me. |
| 76 |
|
| 77 |
Another point I just want to mention was patch 5 of 6 for |
| 78 |
net-libs/miniupnpc. Did you notice that the ebuild will fetch public key |
| 79 |
via HTTP instead of HTTPS? This will create a chicken-egg problem here: |
| 80 |
We will record key information metadata the same way we store |
| 81 |
information about distfiles which is temper proofed. But because this is |
| 82 |
happening in an automatic way there is not just a theoretical chance |
| 83 |
that we will store an attacker’s key in our metadata because who is |
| 84 |
going to verify they key? The same developer we distrust (or where we |
| 85 |
just want to avoid to trust) that he/she verified the distfile? |
| 86 |
|
| 87 |
Do you see the contradiction? |
| 88 |
|
| 89 |
Please do not get me wrong. I like the idea. But I also understand that |
| 90 |
you cannot implement it in a secure and really working way -- you will |
| 91 |
always require a human paying attention. But now that we pretend, we |
| 92 |
managed to implement that and even show a fancy green message that we |
| 93 |
verified (any) signature, we actually lowered security because more |
| 94 |
people will now stop paying attention: |
| 95 |
|
| 96 |
- Previous developers who carefully checked distfiles will stop |
| 97 |
doing that. |
| 98 |
|
| 99 |
- Nobody will question anything because there is a new passed |
| 100 |
check. |
| 101 |
|
| 102 |
In worst case scenario, we are now emerging a signed malicious package |
| 103 |
we could be aware of if some human would have checked upstream and |
| 104 |
noticed that release key was revoked. But this will not happen anymore |
| 105 |
because we rely that once we have recorded a key in the metadata that |
| 106 |
some system will tell us in case there is a problem. And what do you |
| 107 |
expect what will happen when after the download something will tell us |
| 108 |
“Oh, this file is not signed with currently known key”? Right, that |
| 109 |
developer who we do not want to trust that he/she verified the distfile |
| 110 |
will just add a reference to the new matching key which will silence any |
| 111 |
warning. |
| 112 |
|
| 113 |
No, sorry. Security required education. You need to understand where |
| 114 |
security is depending on so that you know when you need to take action. |
| 115 |
Every attempt to move this away from the user will actually add needless |
| 116 |
complexity, allow for new attack vectors and will not improve security. |
| 117 |
|
| 118 |
The purpose of this email is to get this addition removed ASAP. |
| 119 |
|
| 120 |
|
| 121 |
PS: I assume that the "Arch Linux is using something similar" argument |
| 122 |
will appear. I am not going to make an in depth statement about what |
| 123 |
Arch Linux is doing here. But they have a total different security model |
| 124 |
which you have to take into account. And please don't forget that we |
| 125 |
already have that working Manifest mechanism which isn't promising |
| 126 |
anything it cannot do. |
| 127 |
|
| 128 |
|
| 129 |
-- |
| 130 |
Regards, |
| 131 |
Thomas Deutschmann / Gentoo Security Team |
| 132 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives