1 |
OK, after reading this entire thread, I've been thinking about a usable |
2 |
implementation from both the administrative and developer perspective. |
3 |
One of the most important things to remember in designing this, is that while |
4 |
you can prevent damage from most individual attacks, no system in existence can |
5 |
withstand a multi-faceted all-out assault. |
6 |
|
7 |
Goals: |
8 |
------ |
9 |
- protect against compromised developer box / rogue developer |
10 |
- protect against compromised rsync server |
11 |
|
12 |
Required operations: |
13 |
-------------------- |
14 |
1. add a key to trusted list |
15 |
2. remove a key from trusted list |
16 |
3. verify that a package has not been tampered with |
17 |
4. sign a package |
18 |
|
19 |
General idea: |
20 |
------------- |
21 |
we have a list (single file) distributed via rsync with all of keyids known |
22 |
good for signing manifests. this file is must also signed, with at least one |
23 |
(two or three required for more security) master key that has it's public part |
24 |
widely published and it's private part kept secure. the verifiable signatures |
25 |
on the trust list make it trusted. The signature for the list should be |
26 |
available individually so that it can be checked frequently by portage for |
27 |
changes (and if it has changed, download the list again). Some other users have |
28 |
suggested using expiry times in various ways but that ignores the fact that a |
29 |
portage tree snapshot taken in a known good state remains in that known good |
30 |
state until altered. |
31 |
|
32 |
Signing a package: |
33 |
------------------ |
34 |
manifests are signed as clear-text INSIDE the Manifest file (my prototype |
35 |
already did this). this is important not to bloat the tree with more files. |
36 |
This also allows multiple signatures on a Manifest (basically it just nests). |
37 |
add a command to repoman, 'repoman sign' that signs a manifest and have repoman |
38 |
commit check that a valid signature is present before committing (and |
39 |
automatically does the sign stage on commit if required). |
40 |
|
41 |
to add a key to the trusted list: |
42 |
--------------------------------- |
43 |
1. add keyid into list |
44 |
2. resign modified list with all required master keys |
45 |
|
46 |
to remove a key from the trusted list: |
47 |
-------------------------------------- |
48 |
1. remove keyid from list |
49 |
2. resign modified list with all required master keys |
50 |
|
51 |
to verified that a package has not been tampered with: |
52 |
------------------------------------------------------ |
53 |
1. read in manifest file, check that the signature(s) are valid. |
54 |
2. grab the keyid(s) that it was signed with, and compare them against the |
55 |
trusted list (and optionally a LOCAL list for users to have their own trusted |
56 |
key structure) |
57 |
|
58 |
users can specify how many signatures a package needs to have for them to trust |
59 |
it, eg a really paranoid user may require each manifest has at least 3 |
60 |
signatures. |
61 |
|
62 |
problem case examples: |
63 |
---------------------- |
64 |
case 1: an rsync server is compromised |
65 |
====================================== |
66 |
if intruder modifies an ebuild/patch it doesn't pass the manifest check |
67 |
anymore, and if they modify the manifest, they need a key to sign it which |
68 |
won't be in the trusted list. if they modify the list it won't pass the |
69 |
external signature checks anymore. this case is made mostly airtight for the |
70 |
users that enable security checks. |
71 |
|
72 |
case 2: a developers box is compromised |
73 |
========================================================= |
74 |
this is a weakness in all of schemes floating around already. on discovery, the |
75 |
keyid is removed from the trust list and an advisory issued. users requiring at |
76 |
least N signatures on a package are protected unless the intruder hacks N |
77 |
developer boxes. Assuming that developers keep their gpg keys with a pass-phrase |
78 |
as they should (just like their ssh keys), there is minimal danger until |
79 |
ssh/gpg are trojaned to capture the unencrypted key/pass-phrase. |
80 |
|
81 |
case 3: rogue developer |
82 |
======================= |
83 |
this is one of the hardest things to catch in any system. just like in case 2, |
84 |
users requiring at least N signatures are safe until N developers are |
85 |
rogue/compromised. |
86 |
|
87 |
possible problems with this approach: |
88 |
------------------------------------- |
89 |
for users that specify more than 1 signature must be on a manifest, it's very |
90 |
hard to keep manifests in this state if the package changes often, since any |
91 |
package change requires redoing the manifest which removes the old signatures. |
92 |
this could be fixed by making manifest building incremental (eg it is NOT |
93 |
regenerated from scratch but instead appended until an old set of signed data |
94 |
no longer applies to any files [as they have all been changed]), but that would |
95 |
require a re-write of the manifest generation code. |
96 |
|
97 |
Plan for incremental implementation: |
98 |
------------------------------------ |
99 |
1. roll out portage with a cleaned up version of my prototype for repoman and |
100 |
simple verification code for manifests ONLY. |
101 |
2. create the trusted list and roll out a portage with support for it. |
102 |
|
103 |
-- |
104 |
Robin Hugh Johnson |
105 |
E-Mail : robbat2@××××××××××××××.net |
106 |
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 |
107 |
ICQ# : 30269588 or 41961639 |
108 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |