LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Package signing. Does it really matter? (http://www.linuxquestions.org/questions/linux-security-4/package-signing-does-it-really-matter-867297/)

Telengard 03-08-2011 03:58 PM

Package signing. Does it really matter?
 
First I read this:
http://www.webupd8.org/2010/06/linux...-for-year.html

Then I read this:
http://igurublog.wordpress.com/2011/...-notso-secret/

I'm not about to criticize any particular distro, especially one I've never used. It just seems to me that this affects all distros.

So does it matter? Why or why not? What's the worst that could happen?

Edits
Added a poll so you can answer with a quick click if that suits you.

Please no flaming any specific distro here. Should go without saying, but I'm not taking chances. This is about the merits (or lack) of package signing.

More detailed article about the ircd incident:
http://www.h-online.com/security/new...e-1020987.html

Altered the thread title to avoid confusion. This thread is about cryptographic signing of program packages, whether they be source code or compiled binaries, to prevent malicious tampering. The basic idea is that a set of hashes is used to verify another set of hashes which should originate from a trusted source. Usually the trusted source is either the original author of the program, or the packager who adds the program to the distribution's repositories, or every entity who handles the package from the programmer to the end user. Different distributions have different methods, and some make no use of package signing at all.

macemoneta 03-08-2011 04:12 PM

The worst that can happen is in your first link.

Peufelon 03-10-2011 09:41 AM

Telengard, I completely agree with you: too little attention is paid to this issue by most distros. That becomes a huge problem when someone discovers that some package has in fact been tampered with maliciously. And there have been several instances where precisely that occurred, so it is simply idiotic not to ensure that installers autocheck a sha256 "hash" (or equivalent) before installing any package. Further, the file listing the "hashes" should be signed using GPG. That is how Debian does it. In my opinion, even this system represents the absolute minimum of acceptable practice.

Haven't used arch, not picking on arch. I think this is a problem with many distros, including some of the popular ones. And Debian has had some huge security lapses of its own from time to time. In my opinion, no-one should ever "rest easy" or assume that "no-one would take the time/effort to do that". In my opinion, people who make such assumptions are all too often putting their head in the sand.

On-line polls at forums like LQ are likely to be heavily skewed towards the viewpoint of the ostriches, since security conscious users are more likely to not even be able to see the poll, much less vote.

orgcandman 03-10-2011 09:57 AM

Just an FYI - Code Signing means something entirely different than Package signing. Google for Trusted Platform and Code Signing to see what I mean.

To be fair, I think arch is the exception, not the rule. Additionally, signing doesn't mean anything if the upstream sources have been tampered with (unreal ircd) - or some inexperienced/clueless developer decides to remove an uninitialized stack variable without knowing why (debian's openssl fiasco) it was there in the first place. It's all about trust - how much of it do you place in "that guy." While signing prevents someone from setting up their own mirror and serving "I patched coreutils with a trojan," it does nothing to prevent the first two. Heck, it doesn't even prevent "I'm gonna serve you an older package that I know is vulnerable but has been signed."

Additionally, signing means nothing once the trusted secret key is leaked (look at what just happened to Sony's PS3), or otherwise discovered. Once that happens, any "bad guy" can sign any package and serve it on their evil mirror.

Anyway, none of this is "new" information. EvilGrade has existed for a while now, and provides evil packages for a lot of different systems - even the "signed" MS Windows platform. It's all about user education and intelligence. A user that's been educated is by far a stronger security proponent than one who's never experienced being owned completely and thinks "Well, it's signed - it must be safe".

Peufelon 03-10-2011 10:35 AM

Quote:

Originally Posted by orgcandman (Post 4285582)
Just an FYI - Code Signing means something entirely different than Package signing. Google for Trusted Platform and Code Signing to see what I mean.

Good point; thank you for pointing this out.

Quote:

Originally Posted by orgcandman (Post 4285582)
signing means nothing once the trusted secret key is leaked (look at what just happened to Sony's PS3), or otherwise discovered. Once that happens, any "bad guy" can sign any package and serve it on their evil mirror.

A similar point applies to Debian's package-signing keys (referring to GPG style digital signature): if the secret half of the Debian package-signing keypair is obtained by the (state-sponsored?) crooks... well, Debian changes its keys from time to time. Just to be safe, I presume.

timetraveler 03-10-2011 10:35 AM

...no it doesn't really matter...

Ask any official distro "Where are the results of your security code audit?"
"The What?"

Or any audit for that matter. Most checkins are reviewed as diffs.
When I looked at that openssl problem in debian it sure looked to me like
someone knew exactly what they were doing. If I recall the diff looked rather
harmless. But real code review would have raised a red flag. Was the developer
"social engineered" to check that code in?


Linux kernel 2.37.3.tar.bz2 is 70 megabytes!!
Ask the kernel list where the security code audit is.

Signing using GPG doesn't mean anything either. Can you verify the entire chain?

SSL certs cost money because they are supposed to be backed and verified as legit.
You are paying for a chain of trust. You are not getting what you pay for.

Why don't we vote online? Because it's trivially corruptible and everyone knows it.
(It's trivially corruptible offline too when machines are used)

And furthermore you may (or may not) have noticed that the level of trust in
computer systems has gone all the way down to the hardware level and to the CPU.
And that's not far enough.

When quantum computers are available then what?

Peufelon 03-10-2011 10:43 AM

Quote:

When I looked at that openssl problem in debian it sure looked to me like
someone knew exactly what they were doing.
See the point I made in another current thread about statesponsored attacks on "small fry" (distros, bulletin boards, networks, PCs) becoming increasingly common.

There have been rumors for a long time of numerous attempts by Chinese, US and other governments attempting to insert various kinds of "back doors" in popular "enterprise grade" linux distributions. Some of these are more credible than others, and some have been confirmed. The attempts I know about appear to have failed, but I have no doubt that they won't give up trying. They have a clear and ever increasing motivation to keep trying, and they will.

There are also persistent rumors (and maybe a bit more) concerning alleged "backdoors" in hardware, e.g. an undocumented and possibly exploitable "testing mode" in AMD CPUs, backdoors in popular routers...

I am also concerned about the enormous pressures which governments can bring to bear upon crucial individuals who play key roles inside open source projects like Debian or NoScript. Coercion is by no means limited to the present government of (western) Libya.

Quote:

Signing using GPG doesn't mean anything either. Can you verify the entire chain?
Another good point. The "web of trust" is widely understood to be a weak point of GPG style verification schemes, but if more users adopt GPG, I think this will no longer be such a gaping hole.

Quote:

SSL certs cost money because they are supposed to be backed and verified as legit.
You are paying for a chain of trust. You are not getting what you pay for.
Bruce Schneier likes to point out that companies like Verisign only insure each cert up to one hundred dollars US. That is absurdly lowballing the cost to companies which rely on these certs if they are stolen or forged. Which is known to be possible, and to occur.

Quote:

Why don't we vote online? Because it's trivially corruptible and everyone knows it.
We know better, but our governments often pretend not to. And to see what happens to citizens who protest against insecure evoting schemes, just search for a recent case which occured in India.

Quote:

When quantum computers are available then what?
Julian Assange likes to point out that a large fraction of funding for American research on things like quantum computing comes from sources like the NSA and InQTel. The amerispooks (and their allies in the UK, Canada, New Zealand...) are simultaneously
  • thrilled at the prospect of using quantum computing to speed up the near real-time processing of the vast amounts of information they are sucking in, so that they can efficiently extract the proverbial needle from the haystack,
  • terrified that quantum cryptography may make it even harder for them to continue to exploit no-risk remote untraceable eavesdropping by full-on cryptography.

Espionage is inherently criminal, but for many decades certain agencies like NSA and GCHQ were somewhat insulated by exploiting expertise in activities less uncivilized than those traditionally employed by the CIA or the SAS. By no means everyone inside these agencies is overjoyed at the new emphasis on "social engineering" and attacking "political dissidents" inside their own countries. Many "Western" analysts are well read. They know that George Washington explicitly proscribed torture. And they cannot help seeing the logical inconsistency between harrassing someone like Marlinspike or Appelbaum, while applauding the efforts of the political opposition in places like Libya and Burma. And they know that their masters are increasingly worried about their own employees, and by the prospect of the IT community turning against them.

timetraveler 03-10-2011 11:48 AM

BTW...some say that quantum computers are already here.
Maybe quantum computing will set us free. No more secrets.
Or maybe it will chain us down.

Hardware exploits have been around for ever. (where forever == as soon as hardware came into being)
They can be anywhere. In your mouse, kb, bios, etc., etc.

But if you consider that tech. advances are part of our evolution then, like evolution, the
advances will break free and will no longer be contained. Then the true nature of our evolution
can proceed.

Telengard 03-10-2011 01:43 PM

Quote:

Originally Posted by orgcandman (Post 4285582)
Just an FYI - Code Signing means something entirely different than Package signing.

I'll change the OP to make it more clear that we are talking about packages.

Edit
Sadly it seems that I can't change the wording in the poll. I think the paragraph I added to the OP should cover things well enough though.

IgnorantGuru 03-17-2011 12:41 PM

Quote:

Originally Posted by Peufelon (Post 4285653)
I am also concerned about the enormous pressures which governments can bring to bear upon crucial individuals who play key roles inside open source projects like Debian or NoScript. Coercion is by no means limited to the present government of (western) Libya.

This is very true and you brought up a lot of key points (no pun intended). Ask yourself why most distros use a weaker form of cryptoloop instead of AES-loop. Good luck trying to get AES-loop working on Arch. Gentoo seems a bit better for it. The point of encryption is for it to be strong, not a toy. When Phil Zimmerman developed PGP, he did so at great personal expense. He knew that putting real encryption into the hands of civilians was vital to a free way of life (encryption isn't just about secrets, but exposing them via strong cryptographically supported anonymity, etc). The feds tried to put him behind bars for it for years after. I'm not sure his gift has been fully appreciated by the civilian world, but at least it's still around.

The security pressures on a distro come from many angles. Not everyone is concerned about govt spying, but the same 'plausible deniability' buffer overruns they use to open holes are the same ones exploited by others. If you're going to address security, you have to do it for real with the real tools, not just toys. Linux is the perfect environment for that in some ways, but only if the developers don't avoid their responsibilities. IOW sign your work - we trust you to an extent, you've proved the quality of your work, and that signature let's us know it's your authentic product. And use the best encryption algs in the distros - don't water down the booze. :)

IgnorantGuru 03-24-2011 09:31 AM

LWN just published a comprehensive "Arch Linux and (the lack of) Package Signing" article (link provided). In the comments to that article, there is an evolving discussion of how some of these related issues affect Gentoo as well (at least according to some initial comments there). As I thought Gentoo handled this, I was surprised and learned more about this yet again. At any rate, good to see some press on this instead of censorship.

Telengard 03-24-2011 05:03 PM

@IgnorantGuru: The article does bring up some interesting points about how distros without package signing and automatic checking are vulnerable to certain attacks. Please remember though, that this thread is not intended to be vehicle for attacking any specific distro. Rather I just hoped to get some discussion going on about the subject in general, and get some sense of how important others think it is.

IgnorantGuru 03-24-2011 05:17 PM

@Telengard
LWN's article is certainly hard-hitting and direct, but I wouldn't say they are attacking Arch. I think their priority is informing their subscribers of security issues. I will add that Arch has a lot done well, so I hope they take the criticism constructively.

I agree it is valuable to be aware of your distro's approach in this area and to consider how it does or doesn't suit your security needs. Each distro has its strengths as well as its problems, and each is evolving. Thanks for keeping the topic visible.

xspartan 04-04-2011 12:00 AM

Definitely package signing is important, especially on server systems. Man in the middle attack is one of the things that could happen. Let's not forget that even sourceforge.net was attacked. Package signing will not make our systems 100% secure though. But i would never trust distros without package signing.

IgnorantGuru 04-04-2011 08:49 AM

Agreed. I recently moved from Arch to Aptosid because of this and related issues. Took me a few tries to find a suitable distro, but one advantage of Linux is there are lots of flavors to choose from. (Incidently, since I'm no longer using Arch, someone else has agreed to maintain paccheck and has done some updates to it. Links are on the former paccheck page.)


All times are GMT -5. The time now is 07:05 AM.