Re: Is packages build without verifying the source package signatures?

To: debian-security@lists.debian.org
Subject: Re: Is packages build without verifying the source package signatures?
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 02 Dec 2017 12:43:04 +0000
Message-id: <[🔎] 1512218584.2278.41.camel@adam-barratt.org.uk>
In-reply-to: <[🔎] f90f8dba-010b-400a-d786-4d41509dca9f@gmail.com>
References: <[🔎] f90f8dba-010b-400a-d786-4d41509dca9f@gmail.com>

On Sat, 2017-12-02 at 12:15 +0100, Davide Prina wrote:
> If I don't mistake the automatic package build system don't require
> that the source signature is verified correctly.
[...]
> So it don't have the public key (?) and so it don't check the
> package  signature. But the package is build successfully... and
> signed.
> 
> If an attacker change the source and package it with a wrong private 
> key, it can have his "patch" applied to the signed binary packages?

The packages that the buildds are building come from the Debian
archives, where the software that accepts uploads verifies the
signatures on the uploads. The metadata for the upload queues is also
GPG-signed by the archive software.

So, no, in practice it's not feasible for the attacker to inject
packages outside of the trust structure without already having
compromised some other part of the infrastructure.

Regards,

Adam

Reply to:

References:
- Is packages build without verifying the source package signatures?
  - From: Davide Prina <davide.prina@gmail.com>

Prev by Date: Is packages build without verifying the source package signatures?
Next by Date: Re: Is packages build without verifying the source package signatures?
Previous by thread: Is packages build without verifying the source package signatures?
Next by thread: Re: Is packages build without verifying the source package signatures?
Index(es):
- Date
- Thread