1 |
On Thu, 18 May 2006 23:45:17 +0200, Patrick Lauer wrote: |
2 |
|
3 |
>The problem, in short, is how to handle the checksumming and signing of |
4 |
>gentoo-provided files so that manipulation by external entities becomes |
5 |
>difficult. |
6 |
|
7 |
all snip... |
8 |
|
9 |
PMFJI, but as a user, not a security expert, I had a few thoughts that I'd |
10 |
like to throw in. Thanks to Patrick, he helped me to drill down some of |
11 |
the ideas and I present them for consideration. It's just a framework, so |
12 |
I will be brief. |
13 |
|
14 |
Here are the main requirements of this scheme: |
15 |
|
16 |
1) I believe there should be a gentoo uber-key. One, similar to Slackware |
17 |
Security, which is used to authenticate everything coming from Gentoo. |
18 |
|
19 |
2) Every first or second level directory in portage should have a Manifest |
20 |
of all files in it and below, not just ebuilds. All ebuilds have Manifest |
21 |
files, but eclass does not, and profiles does not AFAIK. These Manifest |
22 |
files, like now, will contain checksums of all files in and below its |
23 |
directory. |
24 |
|
25 |
(right now, signing of Manifests is woefully inconsistent. There are 5400 |
26 |
signed Manifests and the remainder unsigned. Who they are signed by is |
27 |
unclear. Some I cannot even find on public key servers!) |
28 |
|
29 |
3) Similar to what is done at keysigning parties, a hash of all Manifest |
30 |
files would be generated and signed by the uber-key. This hash should be |
31 |
generated from the actual portage tree prior to being propogated through |
32 |
the mirror system. |
33 |
|
34 |
Just an example, but I tried this in ${PORTDIR} |
35 |
|
36 |
# find . -name "Manifest" -exec openssl dgst -ripemd160 {} ";" >MasterManifestFile.txt |
37 |
|
38 |
(of course, gpg, md5sum, or related commands could be used. or a perl or |
39 |
python substitute used. The above was just for illustration). |
40 |
|
41 |
(where this master file gets stored is not settled now. I think it |
42 |
should not be propogated, but kept off the mirrors. Others disagree. But |
43 |
the concept is that it exists and gets signed) |
44 |
|
45 |
4) When a user emerges an ebuild, he/she would check the hash of |
46 |
the Manifest in the ebuild he or she is downloading against the |
47 |
MasterManifestFile.txt file. |
48 |
|
49 |
The rationale is that if Joe Bad Guy uploads a malicious ebuild to a |
50 |
mirror he has access to, complete with a new manifest, it won't checksum |
51 |
correctly against the master list, and the user can be protected. Having a |
52 |
single hash of all Manifest files protects against intrusion into |
53 |
parts of the distribution system. It also makes it OK for a user to download |
54 |
files that are not affected easily. And, since all directories would have |
55 |
Manifests, and I would include profiles and eclass as well, they are |
56 |
protected too. |
57 |
|
58 |
And, since the MasterManifestFile.txt file is signed by the uber Gentoo |
59 |
key, tampering with it would be difficult. |
60 |
|
61 |
5) Every time a new file is added to the main tree, new Manifests must be |
62 |
generated and a new master list created. |
63 |
|
64 |
Essentially, what this scheme accomplishes is a double check on Manifests. |
65 |
What it does not deal with is who signs each Manifest. I am not sure about |
66 |
that. For example, some Manifest files are signed by now-revoked keys. |
67 |
Some I can't find on keyservers. And, signing a Manifest file only does |
68 |
not deal with all the other files. I'm not sure Manifests need to be |
69 |
signed, but that's out of my realm of expertise and really is a policy |
70 |
decision. I'm also not sure of the benefit of signing all files either. |
71 |
Right now, signing of Manifest files is not enforced. How could you |
72 |
enforce signing all files then? |
73 |
|
74 |
Here's a snippet of what a Master file could look like using just one |
75 |
directory, x11-base: |
76 |
|
77 |
find -name "Manifest" -exec -ripemd160 \{} ";" | gpg --clearsign - |
78 |
|
79 |
-----BEGIN PGP SIGNED MESSAGE----- |
80 |
Hash: RIPEMD160 |
81 |
|
82 |
RIPEMD160(./xdirectfb/Manifest)= ca5398a78e9f92cff3c704255caec2b6589b0ccb |
83 |
RIPEMD160(./xorg-x11/Manifest)= 527c1977c0e799aa41dbfa7e5ff3d4fa1026e8be |
84 |
RIPEMD160(./x11-drm/Manifest)= 2836d93a85c0b7dcb58e3b2dc924d9bd9d8f8cf8 |
85 |
RIPEMD160(./xorg-server/Manifest)= 281e13187104e89525d081a92dc81b3e8b018dce |
86 |
RIPEMD160(./kdrive/Manifest)= 2559c92f4a94063271959557bf6c084c4da03b53 |
87 |
RIPEMD160(./opengl-update/Manifest)= 534ec81aa9485b020c07cd7800fb60588d141e35 |
88 |
-----BEGIN PGP SIGNATURE----- |
89 |
Version: GnuPG v1.4.2.2 (GNU/Linux) |
90 |
|
91 |
iD8DBQFEbvHJTTfGLUZ/v30RA5AKAKDJFRKIB3GwxYC4iUEVLMg+uuZ6gACgsIco |
92 |
gSaCIOauDmFjtJNoK0f7bPs= |
93 |
=Qm0N |
94 |
-----END PGP SIGNATURE----- |
95 |
|
96 |
A benefit of this scheme, is that instead of checksumming the thousands of |
97 |
individual files in portage, we're only interested in the Manifests. The |
98 |
entire tree of Manifests is <1Mb. Grepping a file would be fast, needing |
99 |
only the ebuild name and the word Manifest. |
100 |
|
101 |
What would need to be determined is what checksumming method to use, and |
102 |
to require gpg as a dependancy of portage so that signature verification |
103 |
can be done on the Master File. |
104 |
|
105 |
I also believe that live cds and other output from gentoo should be signed |
106 |
as well. I looked at the 2006.0 cd and saw nothing on it. |
107 |
|
108 |
Here's the Slackware approach that I am very familiar with. On the root |
109 |
directory of each CD is a list of checksums called CHECKSUMS.md5. Pat |
110 |
(Volkerding) then creates a detached signature of that file using the |
111 |
Slackware Security Key. This way, the user can be assured that the list of |
112 |
md5 checksums is authentic and check any file's checksum (or all) he/she |
113 |
wants. |
114 |
|
115 |
snippet of CHECKSUMS.md5 |
116 |
|
117 |
These are the MD5 message digests for the files in this directory. |
118 |
If you want to test your files, use 'md5sum' and compare the values to |
119 |
the ones listed here. |
120 |
|
121 |
To test all these files, use this command: |
122 |
|
123 |
md5sum -c CHECKSUMS.md5 | less |
124 |
|
125 |
'md5sum' can be found in the GNU coreutils package on ftp.gnu.org in |
126 |
/pub/gnu, or at any GNU mirror site. |
127 |
|
128 |
MD5 message digest Filename |
129 |
3b6703583ac87b4ab8cd23aafadb1c2c ./ANNOUNCE.10_2 |
130 |
470d6328592a31a8bed773e849317895 ./BOOTING.TXT |
131 |
18810669f13b87348459e611d31ab760 ./COPYING |
132 |
50aa19e2a2f983eca992d7775b11393c ./COPYRIGHT.TXT |
133 |
4e76de599428a3536b4e4e3288456d32 ./CRYPTO_NOTICE.TXT |
134 |
f8f15922110049f42c8a1d3693e22272 ./ChangeLog.txt |
135 |
|
136 |
peter@mars ~ $ gpg --search-keys Slackware\ Security |
137 |
gpg: searching for "Slackware Security" from hkp server cryptonomicon.mit.edu |
138 |
(1) GUS-BR Security Team <security@×××××××××××××.br> |
139 |
1024 bit DSA key B181EC7C, created: 2004-11-18 |
140 |
(2) Slackware Linux Project <security@×××××××××.com> |
141 |
Slackware Linux Project <security@×××××××××.com> |
142 |
1024 bit DSA key 40102233, created: 2003-02-26 |
143 |
|
144 |
Slackware publishes its uber key on public key servers for all to see. GUS |
145 |
is authorized by Pat. |
146 |
|
147 |
Gentoo can do similar with its output also. |
148 |
|
149 |
Sorry. I said this would be brief, and I suppose I lied. However, I hope |
150 |
someone might get a good thought or two from this (or a good laugh at my |
151 |
naivete!). And thanks Patrick for helping with your feedback and getting |
152 |
me to focus on some of these ideas a little more. HTH |
153 |
|
154 |
-- |
155 |
Peter |
156 |
|
157 |
|
158 |
-- |
159 |
gentoo-dev@g.o mailing list |