Bug#1077599: apt: use sopv for OpenPGP signature verification

To: 1077599@bugs.debian.org
Subject: Bug#1077599: apt: use sopv for OpenPGP signature verification
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sat, 03 Aug 2024 09:11:52 -0400
Message-id: <[🔎] 87ed75vjhj.fsf@fifthhorseman.net>
Reply-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 1077599@bugs.debian.org
In-reply-to: <87le1jw5gf.fsf@fifthhorseman.net>
References: <87le1jw5gf.fsf@fifthhorseman.net> <87le1jw5gf.fsf@fifthhorseman.net>

On Tue 2024-07-30 06:16:00 -0400, Daniel Kahn Gillmor wrote:
>> What's missing from sopv are mechanisms for specifying crypto
>> policies, such as allowed hashes, allowed crypto algorithms, and
>> allowed key sizes. I'm not sure if there's stuff I'm missing.

I think we'd be putting apt pretty deep in the crypto weeds if we try to
set those rules in apt itself.  Rather, apt should depend on a sopv
implementation that makes reasonable choices about what kinds of
cryptography is acceptable for signing.

>> What we found out here is that verifying the key algorithm and size
>> during signature verification is a bit annoying, they only work with
>> errors.
>> 
>> Imagine you have two keys, one weak and one strong. You never get a
>> warning about the weak key until you see a signature from it.

even then, i don't think you'd want to see a warning.  A weak signature
should be treated the same as no signature; it doesn't validate,
regardless of where it came from.

>> That's suboptimal because it means only errors really add security, as
>> otherwise an attacker may replace the data with one signed with a
>> compromised weak key and if an update runs in the background you might
>> not even notice.

Dealing with a weak key shouldn't be hard: we just use an OpenPGP
validator that only accepts strong keys.

Dealing with a compromised key is more challenging; we want to be able
to explicitly *exclude* a certificate when we know it to be compromised.
The simplest thing there is just to remove the certificate from the
filesystem, i think.

>> We also need status communicated:
>>
>>   fingerprints of keys that are unknown
>>   uids and fingerprints of expired keys such that we can display them

Why do we want to display them?  those sorts of warnings are footguns to
most admins: they see them as a warning that they need to fix, and they
go and hunt down the unknown key and "install" it to clear the warning.

I agree that there are use cases for debugging tools, but i think the
core part of apt should focus on a simple signature checker that just
does the right thing and fails appropriately when not on the happy
path.  Admins in the debugging case can bring different tools to bear.

apt can simplify; let the OpenPGP implementation do the work!

       --dkg

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1077599: apt: use sopv for OpenPGP signature verification
  - From: Julian Andres Klode <jak@debian.org>

Next by Date: Re: Bug#1070027: apt: daily systemd service handles dpkg frontend locking incorrectly?
Next by thread: Bug#1077599: apt: use sopv for OpenPGP signature verification
Index(es):
- Date
- Thread