1 |
Hi, |
2 |
|
3 |
I am really unhappy with this addition. |
4 |
|
5 |
Another example for something that was not thought to the end and which |
6 |
was rushed and pushed to our users. Sorry for being late to this but any |
7 |
addition should really add a benefit. What is the benefit verify-sig is |
8 |
adding? |
9 |
|
10 |
When mgorny started to propose this in #-qa, he used the argument to |
11 |
improve security of Gentoo because we cannot know if every Gentoo |
12 |
developer is really verifying distfiles or just copying ebuild to new |
13 |
version and let `repoman commit` fetch the distfile and be done with the |
14 |
bump. While I agree with the idea in general, i.e. when you would be |
15 |
able to provide an automatism for that, that would be a great addition. |
16 |
|
17 |
But there is a problem. |
18 |
|
19 |
You cannot automate trust. |
20 |
|
21 |
And anyone who is trying to do that shows that he/she does not |
22 |
understand how signing works and because of the fact he/she will claim |
23 |
security was improved, security was actually lowered due to that. |
24 |
|
25 |
How is that? |
26 |
|
27 |
Because the statement you can get from a signature depends on the trust |
28 |
in the used key. I.e. you assume that the key used to create that |
29 |
signature is only accessible by the designated owner and that nobody |
30 |
else have access to it. In the moment you learn that somebody else |
31 |
gained access to that key, i.e. can create signatures using the same |
32 |
key, you can no longer trust that key. More important, you should start |
33 |
questioning previously seen signatures (if you take it serious you will |
34 |
distrust any files signed by that key and demand on a new signature with |
35 |
a new key where you managed to establish a new trust). |
36 |
|
37 |
Short excerpt: |
38 |
Code signing is nothing new. It is an important layer in Microsoft’s |
39 |
security defense. Even Apple is relying on signatures for their sandbox |
40 |
they introduced some years ago. But does a signature prevent anything? |
41 |
Of course not. StuxNet was signed with a valid signature from Realtek |
42 |
Semiconductor Corp. and switched later to a signature which belongs to |
43 |
JMicron Technology Corp when Realtek’s signature got revoked. A |
44 |
post-mortem analysis suggested that cybercriminals compromised both |
45 |
organizations and have stolen their development certificates, including |
46 |
the private keys used to sign the executables. In 2014, when Sony |
47 |
Pictures got hacked, attackers had signed the malware with valid |
48 |
certificates from *Sony*. But that is only the tip of the iceberg, see |
49 |
https://attack.mitre.org/techniques/T1553/002/ for more examples. My |
50 |
point here is, and I believe we all agree on this, that signatures alone |
51 |
are meaningless. |
52 |
|
53 |
To add a meaning to signatures you must trust the signer that he/she |
54 |
will immediately revoke the certificate once he/she gets aware that an |
55 |
unauthorized third party gained access to the certificate. If we, for an |
56 |
unknown reason, assume that this will happen, we will face another |
57 |
problem: We must receive this information. If we do not know that |
58 |
something has happened to the key, we will not take any actions. |
59 |
I guess you all still remember how you created your GPG key for Gentoo, |
60 |
don’t you? Do you still have access to the revocation certificate you |
61 |
created during that process? I am sure you do. But do you know how this |
62 |
process works? Right, you need to upload that certificate to a key |
63 |
server. But then 2019 happened. Key servers are dead now. You can no |
64 |
longer rely on key servers, especially not that once you have uploaded |
65 |
your revocation certificate that it will spread and reach users. Just do |
66 |
an easy exercise: Check who committed to Gentoo repository in past 6 |
67 |
months. Now try to fetch the GPG key of all committers without using |
68 |
*.gentoo.org. Good luck! And no, WKD cannot help you with that (revocation). |
69 |
|
70 |
Coming back to my initial statement that it is all about automatization. |
71 |
|
72 |
The whole idea started with assumption that not every developer will |
73 |
verify the distfile (an assumption I share). But why should we trust |
74 |
these developers that they will keep an eye on upstream’s used |
75 |
certificate instead? That does not make any sense for me. |
76 |
|
77 |
Another point I just want to mention was patch 5 of 6 for |
78 |
net-libs/miniupnpc. Did you notice that the ebuild will fetch public key |
79 |
via HTTP instead of HTTPS? This will create a chicken-egg problem here: |
80 |
We will record key information metadata the same way we store |
81 |
information about distfiles which is temper proofed. But because this is |
82 |
happening in an automatic way there is not just a theoretical chance |
83 |
that we will store an attacker’s key in our metadata because who is |
84 |
going to verify they key? The same developer we distrust (or where we |
85 |
just want to avoid to trust) that he/she verified the distfile? |
86 |
|
87 |
Do you see the contradiction? |
88 |
|
89 |
Please do not get me wrong. I like the idea. But I also understand that |
90 |
you cannot implement it in a secure and really working way -- you will |
91 |
always require a human paying attention. But now that we pretend, we |
92 |
managed to implement that and even show a fancy green message that we |
93 |
verified (any) signature, we actually lowered security because more |
94 |
people will now stop paying attention: |
95 |
|
96 |
- Previous developers who carefully checked distfiles will stop |
97 |
doing that. |
98 |
|
99 |
- Nobody will question anything because there is a new passed |
100 |
check. |
101 |
|
102 |
In worst case scenario, we are now emerging a signed malicious package |
103 |
we could be aware of if some human would have checked upstream and |
104 |
noticed that release key was revoked. But this will not happen anymore |
105 |
because we rely that once we have recorded a key in the metadata that |
106 |
some system will tell us in case there is a problem. And what do you |
107 |
expect what will happen when after the download something will tell us |
108 |
“Oh, this file is not signed with currently known key”? Right, that |
109 |
developer who we do not want to trust that he/she verified the distfile |
110 |
will just add a reference to the new matching key which will silence any |
111 |
warning. |
112 |
|
113 |
No, sorry. Security required education. You need to understand where |
114 |
security is depending on so that you know when you need to take action. |
115 |
Every attempt to move this away from the user will actually add needless |
116 |
complexity, allow for new attack vectors and will not improve security. |
117 |
|
118 |
The purpose of this email is to get this addition removed ASAP. |
119 |
|
120 |
|
121 |
PS: I assume that the "Arch Linux is using something similar" argument |
122 |
will appear. I am not going to make an in depth statement about what |
123 |
Arch Linux is doing here. But they have a total different security model |
124 |
which you have to take into account. And please don't forget that we |
125 |
already have that working Manifest mechanism which isn't promising |
126 |
anything it cannot do. |
127 |
|
128 |
|
129 |
-- |
130 |
Regards, |
131 |
Thomas Deutschmann / Gentoo Security Team |
132 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |