LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

View Poll Results: Is code signing important enough to worry about?
Critically important. I would not run a system with unsigned packages. 11 40.74%
Somewhat important. I'll use unsigned code if I have to. 11 40.74%
Not very important, but might be nice to have. 3 11.11%
Not at all. I don't need or want my distro to have signed packages. 0 0%
What is this about? I don't know or care. 2 7.41%
Voters: 27. You may not vote on this poll

Reply
 
Search this Thread
Old 03-08-2011, 03:58 PM   #1
Telengard
Member
 
Registered: Apr 2007
Location: USA
Distribution: Kubuntu 8.04
Posts: 579
Blog Entries: 8

Rep: Reputation: 147Reputation: 147
Package signing. Does it really matter?


First I read this:
http://www.webupd8.org/2010/06/linux...-for-year.html

Then I read this:
http://igurublog.wordpress.com/2011/...-notso-secret/

I'm not about to criticize any particular distro, especially one I've never used. It just seems to me that this affects all distros.

So does it matter? Why or why not? What's the worst that could happen?

Edits
Added a poll so you can answer with a quick click if that suits you.

Please no flaming any specific distro here. Should go without saying, but I'm not taking chances. This is about the merits (or lack) of package signing.

More detailed article about the ircd incident:
http://www.h-online.com/security/new...e-1020987.html

Altered the thread title to avoid confusion. This thread is about cryptographic signing of program packages, whether they be source code or compiled binaries, to prevent malicious tampering. The basic idea is that a set of hashes is used to verify another set of hashes which should originate from a trusted source. Usually the trusted source is either the original author of the program, or the packager who adds the program to the distribution's repositories, or every entity who handles the package from the programmer to the end user. Different distributions have different methods, and some make no use of package signing at all.

Last edited by Telengard; 03-10-2011 at 02:00 PM. Reason: accidental premature submission
 
Old 03-08-2011, 04:12 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
The worst that can happen is in your first link.
 
1 members found this post helpful.
Old 03-10-2011, 09:41 AM   #3
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Telengard, I completely agree with you: too little attention is paid to this issue by most distros. That becomes a huge problem when someone discovers that some package has in fact been tampered with maliciously. And there have been several instances where precisely that occurred, so it is simply idiotic not to ensure that installers autocheck a sha256 "hash" (or equivalent) before installing any package. Further, the file listing the "hashes" should be signed using GPG. That is how Debian does it. In my opinion, even this system represents the absolute minimum of acceptable practice.

Haven't used arch, not picking on arch. I think this is a problem with many distros, including some of the popular ones. And Debian has had some huge security lapses of its own from time to time. In my opinion, no-one should ever "rest easy" or assume that "no-one would take the time/effort to do that". In my opinion, people who make such assumptions are all too often putting their head in the sand.

On-line polls at forums like LQ are likely to be heavily skewed towards the viewpoint of the ostriches, since security conscious users are more likely to not even be able to see the poll, much less vote.

Last edited by Peufelon; 03-10-2011 at 09:48 AM.
 
1 members found this post helpful.
Old 03-10-2011, 09:57 AM   #4
orgcandman
Member
 
Registered: May 2002
Location: dracut MA
Distribution: Ubuntu; PNE-LE; LFS (no book)
Posts: 594

Rep: Reputation: 102Reputation: 102
Just an FYI - Code Signing means something entirely different than Package signing. Google for Trusted Platform and Code Signing to see what I mean.

To be fair, I think arch is the exception, not the rule. Additionally, signing doesn't mean anything if the upstream sources have been tampered with (unreal ircd) - or some inexperienced/clueless developer decides to remove an uninitialized stack variable without knowing why (debian's openssl fiasco) it was there in the first place. It's all about trust - how much of it do you place in "that guy." While signing prevents someone from setting up their own mirror and serving "I patched coreutils with a trojan," it does nothing to prevent the first two. Heck, it doesn't even prevent "I'm gonna serve you an older package that I know is vulnerable but has been signed."

Additionally, signing means nothing once the trusted secret key is leaked (look at what just happened to Sony's PS3), or otherwise discovered. Once that happens, any "bad guy" can sign any package and serve it on their evil mirror.

Anyway, none of this is "new" information. EvilGrade has existed for a while now, and provides evil packages for a lot of different systems - even the "signed" MS Windows platform. It's all about user education and intelligence. A user that's been educated is by far a stronger security proponent than one who's never experienced being owned completely and thinks "Well, it's signed - it must be safe".
 
Old 03-10-2011, 10:35 AM   #5
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by orgcandman View Post
Just an FYI - Code Signing means something entirely different than Package signing. Google for Trusted Platform and Code Signing to see what I mean.
Good point; thank you for pointing this out.

Quote:
Originally Posted by orgcandman View Post
signing means nothing once the trusted secret key is leaked (look at what just happened to Sony's PS3), or otherwise discovered. Once that happens, any "bad guy" can sign any package and serve it on their evil mirror.
A similar point applies to Debian's package-signing keys (referring to GPG style digital signature): if the secret half of the Debian package-signing keypair is obtained by the (state-sponsored?) crooks... well, Debian changes its keys from time to time. Just to be safe, I presume.

Last edited by Peufelon; 03-10-2011 at 10:40 AM.
 
Old 03-10-2011, 10:35 AM   #6
timetraveler
Member
 
Registered: Apr 2010
Posts: 243
Blog Entries: 2

Rep: Reputation: 31
...no it doesn't really matter...

Ask any official distro "Where are the results of your security code audit?"
"The What?"

Or any audit for that matter. Most checkins are reviewed as diffs.
When I looked at that openssl problem in debian it sure looked to me like
someone knew exactly what they were doing. If I recall the diff looked rather
harmless. But real code review would have raised a red flag. Was the developer
"social engineered" to check that code in?


Linux kernel 2.37.3.tar.bz2 is 70 megabytes!!
Ask the kernel list where the security code audit is.

Signing using GPG doesn't mean anything either. Can you verify the entire chain?

SSL certs cost money because they are supposed to be backed and verified as legit.
You are paying for a chain of trust. You are not getting what you pay for.

Why don't we vote online? Because it's trivially corruptible and everyone knows it.
(It's trivially corruptible offline too when machines are used)

And furthermore you may (or may not) have noticed that the level of trust in
computer systems has gone all the way down to the hardware level and to the CPU.
And that's not far enough.

When quantum computers are available then what?
 
Old 03-10-2011, 10:43 AM   #7
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
When I looked at that openssl problem in debian it sure looked to me like
someone knew exactly what they were doing.
See the point I made in another current thread about statesponsored attacks on "small fry" (distros, bulletin boards, networks, PCs) becoming increasingly common.

There have been rumors for a long time of numerous attempts by Chinese, US and other governments attempting to insert various kinds of "back doors" in popular "enterprise grade" linux distributions. Some of these are more credible than others, and some have been confirmed. The attempts I know about appear to have failed, but I have no doubt that they won't give up trying. They have a clear and ever increasing motivation to keep trying, and they will.

There are also persistent rumors (and maybe a bit more) concerning alleged "backdoors" in hardware, e.g. an undocumented and possibly exploitable "testing mode" in AMD CPUs, backdoors in popular routers...

I am also concerned about the enormous pressures which governments can bring to bear upon crucial individuals who play key roles inside open source projects like Debian or NoScript. Coercion is by no means limited to the present government of (western) Libya.

Quote:
Signing using GPG doesn't mean anything either. Can you verify the entire chain?
Another good point. The "web of trust" is widely understood to be a weak point of GPG style verification schemes, but if more users adopt GPG, I think this will no longer be such a gaping hole.

Quote:
SSL certs cost money because they are supposed to be backed and verified as legit.
You are paying for a chain of trust. You are not getting what you pay for.
Bruce Schneier likes to point out that companies like Verisign only insure each cert up to one hundred dollars US. That is absurdly lowballing the cost to companies which rely on these certs if they are stolen or forged. Which is known to be possible, and to occur.

Quote:
Why don't we vote online? Because it's trivially corruptible and everyone knows it.
We know better, but our governments often pretend not to. And to see what happens to citizens who protest against insecure evoting schemes, just search for a recent case which occured in India.

Quote:
When quantum computers are available then what?
Julian Assange likes to point out that a large fraction of funding for American research on things like quantum computing comes from sources like the NSA and InQTel. The amerispooks (and their allies in the UK, Canada, New Zealand...) are simultaneously
  • thrilled at the prospect of using quantum computing to speed up the near real-time processing of the vast amounts of information they are sucking in, so that they can efficiently extract the proverbial needle from the haystack,
  • terrified that quantum cryptography may make it even harder for them to continue to exploit no-risk remote untraceable eavesdropping by full-on cryptography.

Espionage is inherently criminal, but for many decades certain agencies like NSA and GCHQ were somewhat insulated by exploiting expertise in activities less uncivilized than those traditionally employed by the CIA or the SAS. By no means everyone inside these agencies is overjoyed at the new emphasis on "social engineering" and attacking "political dissidents" inside their own countries. Many "Western" analysts are well read. They know that George Washington explicitly proscribed torture. And they cannot help seeing the logical inconsistency between harrassing someone like Marlinspike or Appelbaum, while applauding the efforts of the political opposition in places like Libya and Burma. And they know that their masters are increasingly worried about their own employees, and by the prospect of the IT community turning against them.

Last edited by Peufelon; 03-10-2011 at 11:36 AM.
 
Old 03-10-2011, 11:48 AM   #8
timetraveler
Member
 
Registered: Apr 2010
Posts: 243
Blog Entries: 2

Rep: Reputation: 31
BTW...some say that quantum computers are already here.
Maybe quantum computing will set us free. No more secrets.
Or maybe it will chain us down.

Hardware exploits have been around for ever. (where forever == as soon as hardware came into being)
They can be anywhere. In your mouse, kb, bios, etc., etc.

But if you consider that tech. advances are part of our evolution then, like evolution, the
advances will break free and will no longer be contained. Then the true nature of our evolution
can proceed.
 
Old 03-10-2011, 01:43 PM   #9
Telengard
Member
 
Registered: Apr 2007
Location: USA
Distribution: Kubuntu 8.04
Posts: 579
Blog Entries: 8

Original Poster
Rep: Reputation: 147Reputation: 147
Quote:
Originally Posted by orgcandman View Post
Just an FYI - Code Signing means something entirely different than Package signing.
I'll change the OP to make it more clear that we are talking about packages.

Edit
Sadly it seems that I can't change the wording in the poll. I think the paragraph I added to the OP should cover things well enough though.

Last edited by Telengard; 03-10-2011 at 02:03 PM.
 
Old 03-17-2011, 12:41 PM   #10
IgnorantGuru
LQ Newbie
 
Registered: Feb 2011
Location: 11,000 feet
Posts: 14

Rep: Reputation: 12
Quote:
Originally Posted by Peufelon View Post
I am also concerned about the enormous pressures which governments can bring to bear upon crucial individuals who play key roles inside open source projects like Debian or NoScript. Coercion is by no means limited to the present government of (western) Libya.
This is very true and you brought up a lot of key points (no pun intended). Ask yourself why most distros use a weaker form of cryptoloop instead of AES-loop. Good luck trying to get AES-loop working on Arch. Gentoo seems a bit better for it. The point of encryption is for it to be strong, not a toy. When Phil Zimmerman developed PGP, he did so at great personal expense. He knew that putting real encryption into the hands of civilians was vital to a free way of life (encryption isn't just about secrets, but exposing them via strong cryptographically supported anonymity, etc). The feds tried to put him behind bars for it for years after. I'm not sure his gift has been fully appreciated by the civilian world, but at least it's still around.

The security pressures on a distro come from many angles. Not everyone is concerned about govt spying, but the same 'plausible deniability' buffer overruns they use to open holes are the same ones exploited by others. If you're going to address security, you have to do it for real with the real tools, not just toys. Linux is the perfect environment for that in some ways, but only if the developers don't avoid their responsibilities. IOW sign your work - we trust you to an extent, you've proved the quality of your work, and that signature let's us know it's your authentic product. And use the best encryption algs in the distros - don't water down the booze.

Last edited by IgnorantGuru; 03-21-2011 at 11:04 PM.
 
3 members found this post helpful.
Old 03-24-2011, 09:31 AM   #11
IgnorantGuru
LQ Newbie
 
Registered: Feb 2011
Location: 11,000 feet
Posts: 14

Rep: Reputation: 12
LWN just published a comprehensive "Arch Linux and (the lack of) Package Signing" article (link provided). In the comments to that article, there is an evolving discussion of how some of these related issues affect Gentoo as well (at least according to some initial comments there). As I thought Gentoo handled this, I was surprised and learned more about this yet again. At any rate, good to see some press on this instead of censorship.
 
2 members found this post helpful.
Old 03-24-2011, 05:03 PM   #12
Telengard
Member
 
Registered: Apr 2007
Location: USA
Distribution: Kubuntu 8.04
Posts: 579
Blog Entries: 8

Original Poster
Rep: Reputation: 147Reputation: 147
@IgnorantGuru: The article does bring up some interesting points about how distros without package signing and automatic checking are vulnerable to certain attacks. Please remember though, that this thread is not intended to be vehicle for attacking any specific distro. Rather I just hoped to get some discussion going on about the subject in general, and get some sense of how important others think it is.
 
Old 03-24-2011, 05:17 PM   #13
IgnorantGuru
LQ Newbie
 
Registered: Feb 2011
Location: 11,000 feet
Posts: 14

Rep: Reputation: 12
@Telengard
LWN's article is certainly hard-hitting and direct, but I wouldn't say they are attacking Arch. I think their priority is informing their subscribers of security issues. I will add that Arch has a lot done well, so I hope they take the criticism constructively.

I agree it is valuable to be aware of your distro's approach in this area and to consider how it does or doesn't suit your security needs. Each distro has its strengths as well as its problems, and each is evolving. Thanks for keeping the topic visible.
 
1 members found this post helpful.
Old 04-04-2011, 12:00 AM   #14
xspartan
Member
 
Registered: Feb 2011
Posts: 36

Rep: Reputation: 3
Definitely package signing is important, especially on server systems. Man in the middle attack is one of the things that could happen. Let's not forget that even sourceforge.net was attacked. Package signing will not make our systems 100% secure though. But i would never trust distros without package signing.
 
1 members found this post helpful.
Old 04-04-2011, 08:49 AM   #15
IgnorantGuru
LQ Newbie
 
Registered: Feb 2011
Location: 11,000 feet
Posts: 14

Rep: Reputation: 12
Agreed. I recently moved from Arch to Aptosid because of this and related issues. Took me a few tries to find a suitable distro, but one advantage of Linux is there are lots of flavors to choose from. (Incidently, since I'm no longer using Arch, someone else has agreed to maintain paccheck and has done some updates to it. Links are on the former paccheck page.)
 
  


Reply

Tags
cryptography, package management, security, signing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Playstation 3 Code Signing Cracked For Good Jeebizz Linux - News 2 01-05-2011 02:00 PM
LXer: Google Chromium, Chromeplus and Iron Browser: Why Source code and Distribution Models Matter LXer Syndicated Linux News 0 12-15-2010 06:51 PM
Error while signing a compiled code for Exadigm PoS running Arm-Linux sunnyben Linux - Newbie 0 05-02-2010 01:29 PM
LXer: Code signing systems LXer Syndicated Linux News 0 12-14-2005 08:31 PM
Signing in avarus LinuxQuestions.org Member Intro 1 04-03-2004 10:31 PM


All times are GMT -5. The time now is 03:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration