| 1 |
On Thu, 18 May 2006 23:45:17 +0200, Patrick Lauer wrote: |
| 2 |
|
| 3 |
>The problem, in short, is how to handle the checksumming and signing of |
| 4 |
>gentoo-provided files so that manipulation by external entities becomes |
| 5 |
>difficult. |
| 6 |
|
| 7 |
all snip... |
| 8 |
|
| 9 |
PMFJI, but as a user, not a security expert, I had a few thoughts that I'd |
| 10 |
like to throw in. Thanks to Patrick, he helped me to drill down some of |
| 11 |
the ideas and I present them for consideration. It's just a framework, so |
| 12 |
I will be brief. |
| 13 |
|
| 14 |
Here are the main requirements of this scheme: |
| 15 |
|
| 16 |
1) I believe there should be a gentoo uber-key. One, similar to Slackware |
| 17 |
Security, which is used to authenticate everything coming from Gentoo. |
| 18 |
|
| 19 |
2) Every first or second level directory in portage should have a Manifest |
| 20 |
of all files in it and below, not just ebuilds. All ebuilds have Manifest |
| 21 |
files, but eclass does not, and profiles does not AFAIK. These Manifest |
| 22 |
files, like now, will contain checksums of all files in and below its |
| 23 |
directory. |
| 24 |
|
| 25 |
(right now, signing of Manifests is woefully inconsistent. There are 5400 |
| 26 |
signed Manifests and the remainder unsigned. Who they are signed by is |
| 27 |
unclear. Some I cannot even find on public key servers!) |
| 28 |
|
| 29 |
3) Similar to what is done at keysigning parties, a hash of all Manifest |
| 30 |
files would be generated and signed by the uber-key. This hash should be |
| 31 |
generated from the actual portage tree prior to being propogated through |
| 32 |
the mirror system. |
| 33 |
|
| 34 |
Just an example, but I tried this in ${PORTDIR} |
| 35 |
|
| 36 |
# find . -name "Manifest" -exec openssl dgst -ripemd160 {} ";" >MasterManifestFile.txt |
| 37 |
|
| 38 |
(of course, gpg, md5sum, or related commands could be used. or a perl or |
| 39 |
python substitute used. The above was just for illustration). |
| 40 |
|
| 41 |
(where this master file gets stored is not settled now. I think it |
| 42 |
should not be propogated, but kept off the mirrors. Others disagree. But |
| 43 |
the concept is that it exists and gets signed) |
| 44 |
|
| 45 |
4) When a user emerges an ebuild, he/she would check the hash of |
| 46 |
the Manifest in the ebuild he or she is downloading against the |
| 47 |
MasterManifestFile.txt file. |
| 48 |
|
| 49 |
The rationale is that if Joe Bad Guy uploads a malicious ebuild to a |
| 50 |
mirror he has access to, complete with a new manifest, it won't checksum |
| 51 |
correctly against the master list, and the user can be protected. Having a |
| 52 |
single hash of all Manifest files protects against intrusion into |
| 53 |
parts of the distribution system. It also makes it OK for a user to download |
| 54 |
files that are not affected easily. And, since all directories would have |
| 55 |
Manifests, and I would include profiles and eclass as well, they are |
| 56 |
protected too. |
| 57 |
|
| 58 |
And, since the MasterManifestFile.txt file is signed by the uber Gentoo |
| 59 |
key, tampering with it would be difficult. |
| 60 |
|
| 61 |
5) Every time a new file is added to the main tree, new Manifests must be |
| 62 |
generated and a new master list created. |
| 63 |
|
| 64 |
Essentially, what this scheme accomplishes is a double check on Manifests. |
| 65 |
What it does not deal with is who signs each Manifest. I am not sure about |
| 66 |
that. For example, some Manifest files are signed by now-revoked keys. |
| 67 |
Some I can't find on keyservers. And, signing a Manifest file only does |
| 68 |
not deal with all the other files. I'm not sure Manifests need to be |
| 69 |
signed, but that's out of my realm of expertise and really is a policy |
| 70 |
decision. I'm also not sure of the benefit of signing all files either. |
| 71 |
Right now, signing of Manifest files is not enforced. How could you |
| 72 |
enforce signing all files then? |
| 73 |
|
| 74 |
Here's a snippet of what a Master file could look like using just one |
| 75 |
directory, x11-base: |
| 76 |
|
| 77 |
find -name "Manifest" -exec -ripemd160 \{} ";" | gpg --clearsign - |
| 78 |
|
| 79 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 80 |
Hash: RIPEMD160 |
| 81 |
|
| 82 |
RIPEMD160(./xdirectfb/Manifest)= ca5398a78e9f92cff3c704255caec2b6589b0ccb |
| 83 |
RIPEMD160(./xorg-x11/Manifest)= 527c1977c0e799aa41dbfa7e5ff3d4fa1026e8be |
| 84 |
RIPEMD160(./x11-drm/Manifest)= 2836d93a85c0b7dcb58e3b2dc924d9bd9d8f8cf8 |
| 85 |
RIPEMD160(./xorg-server/Manifest)= 281e13187104e89525d081a92dc81b3e8b018dce |
| 86 |
RIPEMD160(./kdrive/Manifest)= 2559c92f4a94063271959557bf6c084c4da03b53 |
| 87 |
RIPEMD160(./opengl-update/Manifest)= 534ec81aa9485b020c07cd7800fb60588d141e35 |
| 88 |
-----BEGIN PGP SIGNATURE----- |
| 89 |
Version: GnuPG v1.4.2.2 (GNU/Linux) |
| 90 |
|
| 91 |
iD8DBQFEbvHJTTfGLUZ/v30RA5AKAKDJFRKIB3GwxYC4iUEVLMg+uuZ6gACgsIco |
| 92 |
gSaCIOauDmFjtJNoK0f7bPs= |
| 93 |
=Qm0N |
| 94 |
-----END PGP SIGNATURE----- |
| 95 |
|
| 96 |
A benefit of this scheme, is that instead of checksumming the thousands of |
| 97 |
individual files in portage, we're only interested in the Manifests. The |
| 98 |
entire tree of Manifests is <1Mb. Grepping a file would be fast, needing |
| 99 |
only the ebuild name and the word Manifest. |
| 100 |
|
| 101 |
What would need to be determined is what checksumming method to use, and |
| 102 |
to require gpg as a dependancy of portage so that signature verification |
| 103 |
can be done on the Master File. |
| 104 |
|
| 105 |
I also believe that live cds and other output from gentoo should be signed |
| 106 |
as well. I looked at the 2006.0 cd and saw nothing on it. |
| 107 |
|
| 108 |
Here's the Slackware approach that I am very familiar with. On the root |
| 109 |
directory of each CD is a list of checksums called CHECKSUMS.md5. Pat |
| 110 |
(Volkerding) then creates a detached signature of that file using the |
| 111 |
Slackware Security Key. This way, the user can be assured that the list of |
| 112 |
md5 checksums is authentic and check any file's checksum (or all) he/she |
| 113 |
wants. |
| 114 |
|
| 115 |
snippet of CHECKSUMS.md5 |
| 116 |
|
| 117 |
These are the MD5 message digests for the files in this directory. |
| 118 |
If you want to test your files, use 'md5sum' and compare the values to |
| 119 |
the ones listed here. |
| 120 |
|
| 121 |
To test all these files, use this command: |
| 122 |
|
| 123 |
md5sum -c CHECKSUMS.md5 | less |
| 124 |
|
| 125 |
'md5sum' can be found in the GNU coreutils package on ftp.gnu.org in |
| 126 |
/pub/gnu, or at any GNU mirror site. |
| 127 |
|
| 128 |
MD5 message digest Filename |
| 129 |
3b6703583ac87b4ab8cd23aafadb1c2c ./ANNOUNCE.10_2 |
| 130 |
470d6328592a31a8bed773e849317895 ./BOOTING.TXT |
| 131 |
18810669f13b87348459e611d31ab760 ./COPYING |
| 132 |
50aa19e2a2f983eca992d7775b11393c ./COPYRIGHT.TXT |
| 133 |
4e76de599428a3536b4e4e3288456d32 ./CRYPTO_NOTICE.TXT |
| 134 |
f8f15922110049f42c8a1d3693e22272 ./ChangeLog.txt |
| 135 |
|
| 136 |
peter@mars ~ $ gpg --search-keys Slackware\ Security |
| 137 |
gpg: searching for "Slackware Security" from hkp server cryptonomicon.mit.edu |
| 138 |
(1) GUS-BR Security Team <security@×××××××××××××.br> |
| 139 |
1024 bit DSA key B181EC7C, created: 2004-11-18 |
| 140 |
(2) Slackware Linux Project <security@×××××××××.com> |
| 141 |
Slackware Linux Project <security@×××××××××.com> |
| 142 |
1024 bit DSA key 40102233, created: 2003-02-26 |
| 143 |
|
| 144 |
Slackware publishes its uber key on public key servers for all to see. GUS |
| 145 |
is authorized by Pat. |
| 146 |
|
| 147 |
Gentoo can do similar with its output also. |
| 148 |
|
| 149 |
Sorry. I said this would be brief, and I suppose I lied. However, I hope |
| 150 |
someone might get a good thought or two from this (or a good laugh at my |
| 151 |
naivete!). And thanks Patrick for helping with your feedback and getting |
| 152 |
me to focus on some of these ideas a little more. HTH |
| 153 |
|
| 154 |
-- |
| 155 |
Peter |
| 156 |
|
| 157 |
|
| 158 |
-- |
| 159 |
gentoo-dev@g.o mailing list |
Archives