signed tarballs

Paul Moore paul at paul-moore.com
Fri Apr 14 13:06:53 UTC 2017 

On Thu, Apr 13, 2017 at 6:25 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Thursday, April 13, 2017 5:05:36 PM EDT Paul Moore wrote:
>> On Thu, Apr 13, 2017 at 5:00 PM, William Roberts
>>
>> <bill.c.roberts at gmail.com> wrote:
>> > Isn't the hash on the https people's page?
>
> No, its on the mail list. The mail list is moderated. Only a handful of people
> could post a spoofed message.
>
>> > Which last time I looked wasnt throwing cert errors in chrome.
>>
>> Unless Steve has exclusive administrative access to people.redhat.com
>> (I think it is safe to say he does not, but correct me if I'm wrong
>> Steve <b>)
>
> Nope.
>
>> you can't trust an unsigned checksum regardless of how
>> strong the https cert/crypto as the web admin could still tamper with
>> the data.
>
> They would have to go tamper with the mail list where all the hashes are
> publicly disclosed, too. There are multiple mail list archives. Then they
> would have to post the tampered tarball to the Fedora Build System which also
> publicly discloses hashs. And the Fedora Build System requires several
> identity checks to check it in and it maintains a log.

No.  Since there is no authentication to post to this public email
list all they would have to do is spoof bogus a release announcement
email from you; yes there are some measures in place to combat things
like this, but it isn't that hard.  Granted, you might notice this
attack relatively quickly, but if the attack was timed to happen while
you were away from your email for an extended period of time (travel,
etc.) the window could be non-trivial, and even then, how many
installs could have already been put at risk?

Steve, it's pretty apparent at this point that you don't want to, and
aren't likely to, provide any form of signed checksum for the audit
userspace release.  That's your prerogative, and to some like William,
they may be content with that level of risk.  However, please don't
pretend that signing releases doesn't provide an additional layer of
protection.

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list