Revocation list for old packages with security holes (was: Re: Revival of the signed debs discussion)
Joey Hess <firstname.lastname@example.org> wrote:
> Goswin von Brederlow wrote:
> > What can we do with deb signatures?
> > For our current problem, the integrity of the debian archive being
> > questioned, the procedure would be easy and available to every user:
> > 1. get any clean Debian keyring (or just the key signing the keyring)
> > 2. verify the latest Debian keyring
> > 3. verify that each deb was signed by a DD and the signature fits
> The canoical attack against signed debs in this situation is to find a
> signed deb on snapshot.debian.net that contains a known security hole.
> Now inject it into the compromised archive, with a changed filename, and
> edit the Packages file to have its md5sum. Now a user's checks will
> succeed -- the package is signed with a developer's key -- but they will
> install the old, insecure .deb. The only hint will be a warning from
> dpkg that it is downgrading the package, and a clever attacker might
> avoid even that.
We could use a revocation list where signatures of packages with known security holes are listed as being revoked. Of course, you'd
need to be online to check it when installing/updating packages. And the revocation list would best be served from a server that's
secure and separate from the archive servers to make attacks against it a bit more difficult.
> I would still like to be able to produce signed debs, it's another layer
> of security, but they are no panacea.