1 |
Hi, |
2 |
|
3 |
why do you extract all files in the tar archive? it doesn't make sense at all, |
4 |
you can sign und hash the tar as it is, no security will be gained by |
5 |
extracting the whole archive thats crap like your script. |
6 |
only performance will be worse. |
7 |
|
8 |
how about: |
9 |
|
10 |
SIGNKEYID="blablubb" |
11 |
MASTER="xxx/xxxxxxxor/rsync" #where the master repository lives |
12 |
TEMP="/tmp/xxxxxxx/" #working directory |
13 |
PORTARCHIVE="portage.tar.bz2" |
14 |
MD5SUM="/usr/bin/md5sum" |
15 |
GPG="/usr/bin/gpg" |
16 |
|
17 |
${MD5SUM} "${PORTARCHIVE}" > "${PORTARCHIVE}.md5" |
18 |
${GPG} --batch -u "${SIGNKEYID}" --armor --detach-sign --output |
19 |
"${PORTARCHIVE}.sig" "${PORTARCHIVE}" |
20 |
|
21 |
Now only some parts in emerge-webrsync have to be modified to proof the |
22 |
signature and hash to be correct before extracting the portage package or you |
23 |
can do it by hand. |
24 |
|
25 |
And please stop your sarcastic expressions. |
26 |
|
27 |
cu |
28 |
|
29 |
> -/bin/mv ${FILENAME} ${FILENAME}.md5sum ${UPLOAD} |
30 |
> +/usr/bin/gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output |
31 |
> ${FILENAME}.gpgsig ${FILENAME} +/bin/mv ${FILENAME} ${FILENAME}.md5sum |
32 |
> ${FILENAME}.gpgsig ${UPLOAD} |
33 |
|
34 |
Am Donnerstag, 11. November 2004 03:04 schrieb Peter Simons: |
35 |
> Dear Gentoo Security Experts, |
36 |
> |
37 |
> I am very proud to announce that I have managed to perform |
38 |
> the crucial security fix assignment I have been given by |
39 |
> Kurt Lieber and Dan Margolis. After I had kissed some ass, |
40 |
> publicly humiliated myself, and swallowed a couple of dozen |
41 |
> insults, I was deemed worthy enough to do what Kurt referred |
42 |
> to as "to work with [him] to help [finding] ways to fix it". |
43 |
> |
44 |
> For various reasons which he didn't bother to elaborate on |
45 |
> the public mailing list -- probably for good reason --, it |
46 |
> turned out that my suggested solution to the fact that |
47 |
> Gentoo users all over the Internet are completely |
48 |
> defenseless against man-in-the-middle attacks was considered |
49 |
> absolutely unfeasible. |
50 |
> |
51 |
> So he informed me that the ONLY WAY to do anything against |
52 |
> that little glitch is to sign the daily Portage snapshot |
53 |
> that's available for download with "emerge-webrsync". This |
54 |
> does protect a flabbergasting total of ... I dunno ... maybe |
55 |
> .1 percent of the user base, so it is better than nothing. |
56 |
> |
57 |
> Since all the Gentoo developers were unavailable to perform |
58 |
> the necessary modifications to the snapshot creation script |
59 |
> -- for the last 1.5 years -- he kindly sent it to me as a |
60 |
> MIME attachment so that I could "write the code". |
61 |
> |
62 |
> Needless to say I was thrilled. |
63 |
> |
64 |
> Finally my chance to prove that I am not an idiot, but an |
65 |
> idiot who also contributes to Gentoo! |
66 |
> |
67 |
> I managed to software-engineer the necessary "patch" to make |
68 |
> the script generate a full-blown GPG signature for the |
69 |
> snapshot archive, and I would like to post the diffs here so |
70 |
> that the procedure can be peer-reviewed. |
71 |
> |
72 |
> So without further ado, here is my contribution: |
73 |
> |
74 |
> --- snapshots-create.sh |
75 |
> +++ snapshots-create.sh |
76 |
> @@ -12,7 +12,7 @@ |
77 |
> # |
78 |
> # Define locations for stuff |
79 |
> # |
80 |
> - |
81 |
> +SIGNKEYID="41BC28FE99089D72" |
82 |
> MASTER="xxx/xxxxxxxor/rsync" #where the master repository lives |
83 |
> TEMP="/tmp/xxxxxxx/" #working directory |
84 |
> #UPLOAD="/xx/xx/xx/xxx/upload/" #temp location for testing |
85 |
> @@ -42,7 +42,8 @@ |
86 |
> |
87 |
> /bin/tar --exclude=CVS -cjf ${FILENAME} portage |
88 |
> /usr/bin/md5sum ${FILENAME} > ${FILENAME}.md5sum |
89 |
> -/bin/mv ${FILENAME} ${FILENAME}.md5sum ${UPLOAD} |
90 |
> +/usr/bin/gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output |
91 |
> ${FILENAME}.gpgsig ${FILENAME} +/bin/mv ${FILENAME} ${FILENAME}.md5sum |
92 |
> ${FILENAME}.gpgsig ${UPLOAD} |
93 |
> |
94 |
> Now, this is mission-critical software and you really need |
95 |
> to be a top-notch security specialist to do this. So to make |
96 |
> sure there are no problems integrating the script into the |
97 |
> mind-blowingly fragile Gentoo main server setup, I have to |
98 |
> make a few comments to make sure nothing gets messed up |
99 |
> here. |
100 |
> |
101 |
> Kurt, I realize that submitting my homework as a diff makes |
102 |
> matters more complicated for you. You have to save that |
103 |
> snippet above to a file and then use the utility patch(1). |
104 |
> If you have _any_ problems with this, please don't hesitate |
105 |
> to let me know, and I'll send you the complete script in |
106 |
> private e-mail. |
107 |
> |
108 |
> Before you can use the hardened version of this software, |
109 |
> you have to customize it. Since I have NO ACCESS TO THE |
110 |
> GENTOO SERVERS, the script is tailored for my own system. |
111 |
> The casual readers of this list might want to skip the |
112 |
> following paragraphs, because it's getting really technical |
113 |
> now for a moment. |
114 |
> |
115 |
> Everybody else please look closely at the first chunk. |
116 |
> You'll find a line like this: |
117 |
> |
118 |
> SIGNKEYID="41BC28FE99089D72" |
119 |
> |
120 |
> This statement assigns a variable with the ID of the key |
121 |
> that is going to be used later in the script to generate the |
122 |
> cryptographic signature. I chose to use a variable here so |
123 |
> that the key ID can be configured at the top of the script, |
124 |
> instead of burying that parameter amidst 78 lines of |
125 |
> comments, whitespace, and several complex calls to tar(1) |
126 |
> and other Unix magic. I realize that using a variable adds a |
127 |
> level of indirection which might have performance |
128 |
> implications that are difficult to predict. Kurt, should |
129 |
> this version be too slow to manage the job in time on the |
130 |
> machines, I'll remove that again, okay? |
131 |
> |
132 |
> My point about that line is, though: This key ID will NOT |
133 |
> WORK on your machine! The reason is that to issue a |
134 |
> signature, you have to use the secret key of the GPG |
135 |
> key-pair. So although you can download a key with that ID |
136 |
> from every public key server, this will not work! You really |
137 |
> need the secret key. |
138 |
> |
139 |
> To make the script work nonetheless you have to: |
140 |
> |
141 |
> (1) Start appropriate text editing software. On most Gentoo |
142 |
> machines, the tool nano(1) can be used for this. |
143 |
> |
144 |
> (2) Repeatedly hit the cursor-down button on your keyboard |
145 |
> until that white rectangle you're seeing is right over |
146 |
> that SIGNKEYID line from above. |
147 |
> |
148 |
> (3) Stop hitting cursor-down now! |
149 |
> |
150 |
> (4) If the white rectangle has moved past that line |
151 |
> already, then you have to hit CTRL-Z, then enter |
152 |
> |
153 |
> kill -9 %1 |
154 |
> |
155 |
> and go back to step (1) and try again. |
156 |
> |
157 |
> (5) Don't give up. |
158 |
> |
159 |
> (6) If you have successfully navigated the white rectangle |
160 |
> to the line, hit cursor-right repeatedly until it has |
161 |
> reached the point right after the first double quote. |
162 |
> |
163 |
> (7) Don't give up. |
164 |
> |
165 |
> (8) Switch into overwrite mode and enter the ID of your |
166 |
> secret key. |
167 |
> |
168 |
> (9) Save the modified script and exit the text editing |
169 |
> software. I'd love to give more details on this step, |
170 |
> but unfortunately the exact procedure is implementation |
171 |
> defined. |
172 |
> |
173 |
> After you have successfully edited the key ID to match the |
174 |
> one your secret key has, you should be ready to try it out. |
175 |
> Just enter "snapshots-create.sh" and see what happens. |
176 |
> |
177 |
> What do you mean it doesn't work? |
178 |
> |
179 |
> Hmmm. Does "./snapshots-create.sh" work? |
180 |
> |
181 |
> Doesn't either? |
182 |
> |
183 |
> Hmmm. Ah, wait. Enter "chmod +x snapshots-create.sh". |
184 |
> |
185 |
> Good, now run the "./snapshots-create.sh" command again. |
186 |
> |
187 |
> STILL doesn't work? |
188 |
> |
189 |
> What does it say on the screen? |
190 |
> |
191 |
> Nothing? |
192 |
> |
193 |
> Hahaha, now I got it. No, no, that's perfectly alright. It |
194 |
> will take a while for the script to return; that thing runs |
195 |
> a while. Yes, security-related software does require lots |
196 |
> and lots of CPU time; that really can't be helped in any |
197 |
> way, so please be patient. |
198 |
> |
199 |
> Now, if the script has returned at last you will find the |
200 |
> following files in the Gentoo download area: |
201 |
> |
202 |
> portage-20041109.tar.bz2 |
203 |
> portage-20041109.tar.bz2.gpgsig |
204 |
> portage-20041109.tar.bz2.md5sum |
205 |
> |
206 |
> Don't be concerned if the filenames don't match exactly. |
207 |
> These numbers depend on the t-coordinate of the system the |
208 |
> script is run on; that is a kind of unique hash to guarantee |
209 |
> that no filename collisions occur. |
210 |
> |
211 |
> If this has succeeded, then you have a TOTALLY secure Gentoo |
212 |
> distribution now; there really is nothing left to worry |
213 |
> about. |
214 |
> |
215 |
> Just execute "emerge sync", wait until it comes back and ... |
216 |
> everything still works, no hacker has injected any modified |
217 |
> /usr/portage/eclass/eutils.eclass file into your machine, |
218 |
> you are totally SAFE! |
219 |
> |
220 |
> Of course, I wouldn't install any new software for the next |
221 |
> 1.5 years because there remains a small, insignificant |
222 |
> chance that doing this will erase your hard disk, install |
223 |
> Red Hat Linux, or do other horrible things. |
224 |
> |
225 |
> But you know how the old saying goes: Never change a running |
226 |
> system! |
227 |
> |
228 |
> Exactly. |
229 |
> |
230 |
> WARNING *** WARNING *** WARNING *** WARNING |
231 |
> |
232 |
> My instructions have been written for the final version of |
233 |
> this hardening mechanism. Right now, the "totally secure" |
234 |
> bit is not quite accurate because I still haven't gotten to |
235 |
> "patch" any of the Gentoo tools to verify that signature. |
236 |
> |
237 |
> Or, to be perfectly honest, I have gotten to but didn't |
238 |
> manage. |
239 |
> |
240 |
> There is some complexity to the task that wasn't quite |
241 |
> understood when I agreed to do all this for Gentoo, because |
242 |
> before I can call GPG to verify the signature, I have to |
243 |
> execute |
244 |
> |
245 |
> source /etc/make.conf |
246 |
> |
247 |
> to import some more variables, so that the user can |
248 |
> switch authentication on/off, set the path to the official |
249 |
> Gentoo key and all that. And frankly, it is just too damn |
250 |
> difficult. |
251 |
> |
252 |
> Anyway, I promise I will do that ASAP. Let's see ... we have |
253 |
> 2004 now ... Man, that is gonna take a while. Because, as it |
254 |
> happens, I have other stuff to do, too, you know? It's not |
255 |
> like I am getting paid for all this! |
256 |
> |
257 |
> And besides: I simply don't give a shit. |
258 |
> |
259 |
> Cheers, |
260 |
> |
261 |
> Peter |
262 |
> |
263 |
> -- |
264 |
> gentoo-security@g.o mailing list |
265 |
|
266 |
-- |
267 |
gentoo-security@g.o mailing list |