Bug#892803: di-netboot-assistant: unsigned daily images

To: Cyril Brulebois <kibi@debian.org>, 892803@bugs.debian.org
Subject: Bug#892803: di-netboot-assistant: unsigned daily images
From: Matt Taggart <taggart@debian.org>
Date: Wed, 14 Mar 2018 00:36:02 -0700
Message-id: <[🔎] ed45782d-613c-7b20-ca20-08f96d1e6969@debian.org>
Reply-to: Matt Taggart <taggart@debian.org>, 892803@bugs.debian.org
In-reply-to: <[🔎] 20180314052825.qwamba2utfqx2wtf@mraw.org>
References: <[🔎] 0a9b6a36-c0d0-3acf-346c-dcac179113cb@lackof.org> <[🔎] 20180314052825.qwamba2utfqx2wtf@mraw.org> <[🔎] 0a9b6a36-c0d0-3acf-346c-dcac179113cb@lackof.org>

On 03/13/2018 10:28 PM, Cyril Brulebois wrote:

What extra security would signing images bring here?

For me, assurance that nobody had interfered with the daily image that Iwill use to install a system. Many systems I install with a daily arefor testing and get thrown away rather quickly (although often I don'tknow in advance which ones will end up sticking around longer).

One reason in the past I have installed systems with a daily build thatI know will stick around is due to needing support for new hardware atinstall time, where I couldn't just get an older install on the systemwith a stable d-i and then upgrade the kernel post-install. Usuallythings like drivers for a disk controller, newish filesystem features,or network drivers for doing a network install.

The testing alpha/beta/rc releases _do_ get signed right? Maybe that's abetter solution for the above case where I need something newer thanstable, but testing would in most cases be "new enough".


But still thinking about daily...

d-i.d.o does use https and has it's own Let's Encrypt issued cert, Ithink I could verify the cert and then check that the netboot.tar.gzmatches the one published in

  https://d-i.debian.org/daily-images/amd64/daily/SHA256SUMS

Looking at the code, it looks like d-n-a already does the latter part Iguess to prevent cases of download corruption, broken mirrors, etc.

The default di-sources.list uses https for the daily images. And thecode uses either wget or curl, both of which default to verifying certsvia the normal system ca list. So it's already doing quite a bit toverify even the daily image sources. That's good, but if I was anattacker trying to mitm, I'd just need to find the weakest link in theCA cartel to issue me a d-i.d.o cert I could use for my mitm mirror.

This is a corner case for sure and if there is no reasonable way tosolve it I think that's OK.

I think if I wanted to prove to myself the daily image came from debian,I could verify the cert used for d-i.d.o was indeed the known debianowned one, download the netboot.tar.gz/SHA256SUMS and stick them in thecache, and then use the --offline flag.


--
Matt Taggart
taggart@debian.org

Reply to:

Follow-Ups:
- Bug#892803: di-netboot-assistant: unsigned daily images
  - From: Cyril Brulebois <kibi@debian.org>

References:
- Bug#892803: di-netboot-assistant: unsigned daily images
  - From: Matt Taggart <matt@lackof.org>
- Bug#892803: di-netboot-assistant: unsigned daily images
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Bug#833525: debootstrap: Deleted my entire /home partition using "mostly harmless" debootstrap --print-debs option
Next by Date: Bug#892900: console-setup: The last update console-setup 1.179 fails in its postinstallation scripts
Previous by thread: Bug#892803: di-netboot-assistant: unsigned daily images
Next by thread: Bug#892803: di-netboot-assistant: unsigned daily images
Index(es):
- Date
- Thread