[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion



Andreas Barth <aba@not.so.argh.org> writes:

> * Joey Hess (joeyh@debian.org) [031202 02:55]:
> > Goswin von Brederlow wrote:
> > > What can we do with deb signatures?
> > > 
> > > For our current problem, the integrity of the debian archive being
> > > questioned, the procedure would be easy and available to every user:
> > > 
> > > 1. get any clean Debian keyring (or just the key signing the keyring)
> > > 2. verify the latest Debian keyring
> > > 3. verify that each deb was signed by a DD and the signature fits
> 
> > The canoical attack against signed debs in this situation is to find a
> > signed deb on snapshot.debian.net that contains a known security hole.
> 
> To avoid this attack, it is necessary that the filename of the deb or
> the version of the package is also signed.

% dpkg -e moon-buggy_0.5.53-5.0.0.1_i386.deb t
% cat t/control 
Package: moon-buggy
Version: 0.5.53-5.0.0.1
Section: games
Priority: optional
Architecture: i386
Depends: libc6 (>= 2.3.2.ds1-4), libncurses5 (>= 5.3.20030510-1), debconf
Conflicts: moon-buggy-esd, moon-buggy-pause, suidmanager (<< 0.50)
Installed-Size: 232
Maintainer: Christian T. Steigies <cts@debian.org>
Description: Drive some car across the moon
 Moon-buggy is a simple character graphics game, where you drive some
 kind of car across the moon's surface.  Unfortunately there are
 dangerous craters there.  Fortunately your car can jump over them!

Since the control file would be signed its all there. You just have to
verify the verions apt things its using against what the control file
says. That can be added to apt through
/etc/apt/apt.conf.d/10-verify-debsigs which I'm experimenting with at
the moment.

I wrote a trivial fix for apt-utils to support debsigs signed
debs. Without it one gets a strange error message about corrupt debs
and the pre-configuring of packages fails but everything works in the
end.


I'm not sure how an upgrade path should look. A drastic upgrade path
could make all signed debs Conflict with older apt-utils. People
using sarge/sid debs on potato/woody would get apt-utils removed,
which doesn't hurt. Everyone else would get an update. That would mean
we can introduce signed debs in sarge but have to live with every deb
conflicting with older apt-utils for the next 4 years.

Packages could drop the Conflict if one of the packages they depend on
have it. Pretty much all binaries have a versioned depend on libc6,
that would take care of most debs.


A slower upgrade path would be to fix apt now for sarge, allow debsigs
signed debs for sarge+1 for non core packages, and make them mandatory
for sarge+2.


A slightly dirty upgrade path would be to ignore apt-utils breakage
for older releases, fix apt-utils in sarge and start using debsigs
signed debs for sarge. apt-utils is not important to maintain or
update a debian system so to hell with it. :)

MfG
        Goswin



Reply to: