signed tarballs

William Roberts bill.c.roberts at gmail.com
Thu Apr 13 22:45:55 UTC 2017 

On Apr 13, 2017 14:22, "Christian Rebischke" <Chris.Rebischke at archlinux.org>
wrote:

On Thu, Apr 13, 2017 at 05:05:36PM -0400, Paul Moore wrote:
> Unless Steve has exclusive administrative access to people.redhat.com
> (I think it is safe to say he does not, but correct me if I'm wrong
> Steve <b>) you can't trust an unsigned checksum regardless of how
> strong the https cert/crypto as the web admin could still tamper with
> the data.

We are not only talking about the web admin. We live in times where
governments can easily tamper such data and the documents from snowden
and some other whistleblowers prove that they did stuff like this.

The only way to make sure that the tarball is the original tarball is
with a signature from Steve grubbs gpg-key. This would ensure that steve
has checked the content.

Just imagine the following scenario:

1. New audit version
2. Steve uploads the new version with new hash to the webserver.

3. Let's imagine that hackers would MITM my connection or modify the
server content. They could deploy a new tarball and generate a new
checksum for it, because SHA256 is just *one* factor. Everyone who would
download the new tarball would check against the new malicious hash.

This is a valid attack scenario.. This scenario could only be prevent by
using signed tarballs. Because people like me and other distribution
maintainers would have Steves pubkey. If somebody would modify the
tarball he would need Steves pubkey. And this is much more difficult
than just MITM the connection or tampering the data on the webserver.

With a signed tarball the attacker would have following problems:

1. the attacker can't deploy a malicious tarball without signature,
because this would make clear that the tarball is malicious.
2. if the attacker would generate an own signature for the maliciois
tarball, people who verify the tarball would get a warning because the
key is unknown and not part of steves keyring.

I hope this email is clearer...


You're assuming a lot for an attack to happen, and your assuming a state of
steves security of his key, his repo, etc at release time. Pki is based on
trust of confidentiality of the private key. If Steve starts signing the
tarballs, it would be great (everyone should), but https + hash is better
then nothing, that's my point. The difference really boils down to trust of
the key, admin vs Steve. Admin vs Steve is much better than united vs Steve
;-).


Thanks for reading.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170413/435a66b8/attachment.htm>

More information about the Linux-audit mailing list