LinuxQuestions.org - slackpkg vs. third-party package repository

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - slackpkg vs. third-party package repository (https://www.linuxquestions.org/questions/slackware-14/slackpkg-vs-third-party-package-repository-4175427364/)

The changelog.txt is always downloaded. It will never cached. All other files in tds.net will be cached.

I found a security bug in slackpkg/slackpkg+, but I'm not sure if I want/can/should/must to fix it.

slackpkg+ is used also for ConnochaetOS.

It is not a problem but the repository contains also a MODIFIED mirror of slackware-14.1 where the author has added some metadata (deps file).
Then he has added his own GPG-KEY to sign the CHECKSUMS.md5

Code:

pub  4096R/132DCE57 2015-04-13 [expires: 2025-04-10]

uid                  Henry Jensen <hjensen@connochaetos.org>

Code:

$ gpg --import GPG-KEY

gpg: keyring `/home/casa/.gnupg/secring.gpg' created

gpg: key 132DCE57: public key "Henry Jensen <hjensen@connochaetos.org>" imported

gpg: Total number processed: 1

gpg:              imported: 1  (RSA: 1)

$ gpg --verify CHECKSUMS.md5.asc.1 CHECKSUMS.md5.5    

gpg: Signature made Sun Dec 27 04:40:40 2015 CET using RSA key ID 132DCE57

gpg: Good signature from "Henry Jensen <hjensen@connochaetos.org>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: 5C85 5D80 250F DFE7 DC00  0DCB 5086 928C 132D CE57

But the packages are slackware original packages signed with the original signature:

Code:

$ wget https://connochaetos.org/slack-n-free/salix/i486/slackware-14.1/slackware/a/aaa_base-14.1-i486-1.txz

$ wget https://connochaetos.org/slack-n-free/salix/i486/slackware-14.1/slackware/a/aaa_base-14.1-i486-1.txz.asc

$ gpg --verify aaa_base-14.1-i486-1.txz.asc aaa_base-14.1-i486-1.txz

gpg: Signature made Tue Oct 15 00:17:37 2013 CEST using DSA key ID 40102233

gpg: Good signature from "Slackware Linux Project <security@slackware.com>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: EC56 49DA 401E 22AB FA67  36EF 6A44 63C0 4010 2233

So in the repository there are .asc files not signed with the main GPG-KEY.
This is the first security bug. gpg --verify checks the sign file with all key trusted.
I expect that in slack-n-free repository I see connochaetos packages only; instead I see also slackware packages (but I may find also alienbob/slacky/other packages, copied from original repository).
Or slackpkg install should tell to the user some information about its authenticity (the subject of the key that has signed the file), instead to tell he just about integrity.

Also,
in config example file
where the author suggests to add this repository in /etc/slackpkg/mirrors
Now when I run slackpkg update gpg, it does not import the slackware gpg-key, so the installation/upgrade of slackware packages from that fake slackware repository will fails.

This is a functional bug AND the second (and I think the major) security bug, i.e. I can put in /etc/slackpkg/mirrors a mirror of slackware not signed with the original slackware signature.
When you start slackpkg, it does verify that there is the official slackware key imported in gnupg db

Code:

  SLACKKEY=${SLACKKEY:-"Slackware Linux Project <security@slackware.com>"}

[...]

        GPGFIRSTTIME="$(gpg --list-keys \"$SLACKKEY\" 2>/dev/null \

                        | grep -c "$SLACKKEY")"

but it does not verify that files are signed with that key

Code:

function checkgpg() {

        gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"

}

nor slackpkg+ do that.

It is not a big security bug becouse even if a package is signed with a different key, however the key was trusted in gnupg store from the user.
In effect the question is not "how to fix?" but "do we need to fix?".

A fix could break some repository.

Notes that ConnochaetOS is a SalixOS based distribution.
Salix is based on slapt-get package tool to manage dependencies, so it NEEDS a slackware repository with deps metadata.
The Salix official repository signs just the CHECKSUMS.md5 with the GPG-KEY; all packages are not signed (so that you need to install it with slackpkg -checkgpg=off)

Any suggests?

Slackpkg was not created with multiple 3rd party support in mind, so the checkgpg function is pretty basic and seems to assume that slackpkg will only install Slackware packages and therefore a check against a specific GPG key is not needed.
However, slackpkg was also written to be extensible. Which is why you were able to write your slackpkg+ extension.

I think that the checkgpg() function needs to be re-implemented (extended) as part of slackpkg+; the function should do a "gpg --verify" against the GPG key of the repository from which you are installing the package, and installation of the package should be aborted if the GPG check fails for the package.

This implies that all packages in a single repository need to be signed with a single GPG key.

The ConnochaetOS apparently contains a mix of packages, from Slackware, Salix and from ConnochaetOS? That is not a good idea. The solution would be to offer multiple sub-repositories, each containing packages that have been signed with just a single GPG key.

Also, it would be good if any URL that gets added to the official "/etc/slackpkg/mirrors" file, contains ONLY packages signed with the Slackware GPG key. There must be no room for 3rd party repositories in the official "mirrors" file. This is to protect people against carelessness. If it would ever happen that a bogus Slackware repository with infected packages finds its way into the "mirrors" file and those packages get installed, we are screwed.

I think this extension to the checkgpg() function should be submitted back as a fix to slackpkg as well, because at this moment it gives a false sense of security.

Quote:

I think this extension to the checkgpg() function should be submitted back as a fix to slackpkg as well, because at this moment it gives a false sense of security.

For slackpkg should be sufficient

Code:

--- /usr/libexec/slackpkg/core-functions.sh    2015-12-16 08:01:12.000000000 +0100

+++ core-functions.sh  2015-12-28 01:31:18.760625970 +0100

@@ -508,7 +508,7 @@

 # Verify the GPG signature of files/packages

 #

 function checkgpg() {

-      gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"

+      gpg --verify ${1}.asc ${1} 2>&1|grep -q "Good signature from \"$SLACKKEY\"" && echo "1" || echo "0"

 }

 

 # Found packages in repository.

That checks the subject of key.
But more sure may be to check the fingerprint:

Code:

gpg --verify ${1}.asc ${1} 2>&1|grep -q "EC56 49DA 401E 22AB FA67 36EF 6A44 63C0 4010 2233" && echo "1" || echo "0"

becouse I can generate a gpg key with the same subject of slackware key.
notes that this fingerprint is valid up to the year 2038.

Quote:

The ConnochaetOS apparently contains a mix of packages, from Slackware, Salix and from ConnochaetOS? That is not a good idea. The solution would be to offer multiple sub-repositories, each containing packages that have been signed with just a single GPG key.

No, ConnochaetOS contains 3 repositories:
https://connochaetos.org/slack-n-free/slack-n-free-14.1 -> contains specifics ConnochaetOS, all signed with the ConnochaetOS key
https://connochaetos.org/slack-n-free/salix/i486/14.1 -> contains a modified copy of salix repository; salix does not sign every single packages, so here there are only file signed with ConnochaetOS key
https://connochaetos.org/slack-n-fre...slackware-14.1 -> contains a modified copy of slackware repository; here all packages are signed with the official slackware key, but the CHECKSUMS.md5 is signed with ConnochaetOS key.

Never mind, nothing to see here, just move along.

Quote:

Originally Posted by zerouno (Post 5469703)

But more sure may be to check the fingerprint:

Code:

gpg --verify ${1}.asc ${1} 2>&1|grep -q "EC56 49DA 401E 22AB FA67 36EF 6A44 63C0 4010 2233" && echo "1" || echo "0"

becouse I can generate a gpg key with the same subject of slackware key.
notes that this fingerprint is valid up to the year 2038.

Keep in mind that SlackwareARM uses a different key.

Yes, it was a draft to give an idea.

Hello,

Quote:

Originally Posted by Alien Bob (Post 5469635)

I think that the checkgpg() function needs to be re-implemented (extended) as part of slackpkg+; the function should do a "gpg --verify" against the GPG key of the repository from which you are installing the package, and installation of the package should be aborted if the GPG check fails for the package.

This implies that all packages in a single repository need to be signed with a single GPG key.

Here is a (beta) patch which implements that:

Code:

--- slackpkgplus.sh.orig        2015-12-29 16:49:57.066470655 +0100

+++ slackpkgplus.sh        2015-12-29 17:03:13.715506202 +0100

@@ -286,6 +286,7 @@

        fi

        if [ $? -eq 0 ];then

          gpg --import $2-tmp

+          gpg --output "${WORKDIR}/${PREPO}-GPG-KEY.gpg" --dearmor $2-tmp

        else

          echo

          echo "                  !!! W A R N I N G !!!"

@@ -309,7 +310,17 @@

      return

    fi

    if [ -e "${1}.asc" ];then

-      gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"

+

+      PKGNAME=$(basename ${1})

+      REPO=$(grep -m 1 " ${PKGNAME%.*} " ${TMPDIR}/pkglist | cut -f1 -d" " | sed "s/SLACKPKGPLUS_//")

+

+      if [ ! -z "$REPO" ] && [ -e "${WORKDIR}/${REPO}-GPG-KEY.gpg" ] ; then

+        gpg        --no-default-keyring \

+                      --keyring ${WORKDIR}/${REPO}-GPG-KEY.gpg \

+                      --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"

+      else

+        gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"

+      fi

    else

      echo 1

    fi

--
SeB

Thankyou. I was writting a similar patch that write keyids/repository in a file, then --verify do a grep on the output.
But your solution is better.
I'm testing it.

n.b.: I just commited in devel branch.
No functionality touched, but I had just resort/reindent the code and moved zdialogplus.sh into slackpkgplus.sh (so slackpkgplus is just one file)
Your patch works but with 280 lines offset

Quote:

Originally Posted by zerouno (Post 5470584)

n.b.: I just commited in devel branch.
No functionality touched, but I had just resort/reindent the code and moved zdialogplus.sh into slackpkgplus.sh (so slackpkgplus is just one file)

commit reverted!!
I'm sorry

[edit] ok, recommited.

I added something to your patch. (need other testing)

Code:

--- a/src/slackpkgplus.sh

+++ b/src/slackpkgplus.sh

@@ -551,6 +551,12 @@ if [ "$SLACKPKGPLUS" = "on" ];then

      done

    fi

    if [ $(basename $1) = "GPG-KEY" ];then

+      mkdir -p ${WORKDIR}/gpg

+      gpg $2

+      for PREPO in $(echo ${PRIORITY[*]}|sed 's/SLACKPKGPLUS_[^ ]*//g');do

+        rm -f "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg"

+        gpg --output "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg" --dearmor $2

+      done

      for PREPO in ${REPOPLUS[*]};do

        if [ "${PREPO:0:4}" = "dir:" ];then

          continue

@@ -562,10 +568,14 @@ if [ "$SLACKPKGPLUS" = "on" ];then

        elif echo $URLFILE |grep -q "^dir:/";then

          continue

        else

+          echo

          $DOWNLOADER $2-tmp ${MIRRORPLUS[${PREPO/SLACKPKGPLUS_}]}GPG-KEY

        fi

        if [ $? -eq 0 ];then

+          gpg $2-tmp

          gpg --import $2-tmp

+          rm -f "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg"

+          gpg --output "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg" --dearmor $2-tmp

        else

          echo

          echo "                  !!! W A R N I N G !!!"

@@ -577,6 +587,7 @@ if [ "$SLACKPKGPLUS" = "on" ];then

          sleep 5

        fi

        rm $2-tmp

+        echo

      done

    fi

  } # END function getfile()

@@ -584,12 +595,38 @@ if [ "$SLACKPKGPLUS" = "on" ];then

    # override slackpkg checkgpg()

    # new checkgpg() is used to check gpg and to merge the CHECKSUMS.md5 files

  function checkgpg() {

+    local FILENAME

+    local REPO

+

    if echo $1|egrep -q "/SLACKPKGPLUS_(file|dir|http|ftp|https)[0-9]";then

      echo 1

      return

    fi

    if [ -e "${1}.asc" ];then

-      gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"

+

+      FILENAME=$(basename ${1})

+      if [ "$FILENAME" == "CHECKSUMS.md5" ];then

+        REPO=slackware

+        [ -e "${WORKDIR}/gpg/GPG-KEY-slackware64.gpg" ]&&REPO=slackware64

+      elif [ ${FILENAME:0:13} == "CHECKSUMS.md5" ];then

+        REPO=$(echo $FILENAME|cut -f2 -d-|sed 's/\.gz$//')

+      else

+        #REPO=$(grep -m 1 " ${FILENAME.*} " ${TMPDIR}/pkglist | cut -f1 -d" " | sed "s/SLACKPKGPLUS_//")

+        REPO=$(echo $1|sed -r -e "s,^$TEMP,/," -e "s,/\./,/,g" -e "s,//,/,g" -e "s,^/,," -e "s,/.*$,," -e "s,SLACKPKGPLUS_,,")

+      fi

+

+      if [ ! -z "$REPO" ] && [ -e "${WORKDIR}/gpg/GPG-KEY-${REPO}.gpg" ] ; then

+        echo "Using GPG-KEY-${REPO}.gpg" >&2

+        gpg  --no-default-keyring \

+        --keyring ${WORKDIR}/gpg/GPG-KEY-${REPO}.gpg \

+        --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"

+      else

+        echo "No matching GPG-KEY for repository '$REPO' checking $FILENAME" >&2

+        echo "Try to run 'slackpkg update gpg' or 'slackpkg -checkgpg=off $CMD ...'" >&2

+        echo "No matching GPG-KEY for repository '$REPO' checking $FILENAME" >>$TMPDIR/error.log

+        echo "Try to run 'slackpkg update gpg' or 'slackpkg -checkgpg=off $CMD ...'" >>$TMPDIR/error.log

+        echo 0

+      fi

    else

      echo 1

    fi

I made an additional tool (currently not slackpkg+ depended) to generate a CHECKSUMS.md5.log everytime you run slackpkg update

Code:

Wed Dec 30 22:11:28 CET 2015

----------------------------------

Removed: 3b3d33618da6f78fec64e9c7b177d443  ./SLACKPKGPLUS_slackpkgplus/pkg/slackpkg+-1.6.1-noarch-4mt.txz

Added: 29f994f3d4d259887763085b4312d35f  ./SLACKPKGPLUS_slackpkgplus/pkg/slackpkg+-1.6.1-noarch-5mt.txz

Removed: 6a60411afa4089456522dffa75ceed3d  ./slackware/a/aaa_elflibs-14.1-i486-2.txz

Added: 02e2ccc09e98a0b60d5a6cc2b5325ecd  ./slackware/a/aaa_elflibs-14.1-i486-3.txz

==================================

Wed Dec 30 22:09:45 CET 2015

----------------------------------

Added: 6a60411afa4089456522dffa75ceed3d  ./SLACKPKGPLUS_slackpkgplus/pkg/slackpkg+-1.6.1-noarch-4mt.txz

Added: 0756b78efce72f71762a22dc44662623  ./extra/aspell-word-lists/aspell-af-0.50_0-noarch-4.txz

Added: dcb73b357132fa41ca9713ce733cd46e  ./extra/aspell-word-lists/aspell-am-0.03_1-noarch-4.txz

Added: ac5a793ea0daa521d39b50bfc5898348  ./extra/aspell-word-lists/aspell-az-0.02_0-noarch-4.txz

Added: 8c2bdaaa211e967904b28031250e541c  ./extra/aspell-word-lists/aspell-be-0.01-noarch-4.txz

...

...

it is very very embrional

put it in /usr/libexec/slackpkg/functions.d/zchangelog.sh

Code:

test -n "$(declare -f cleanup)" || return                                                                                                              

eval "${_/cleanup/cleanup_orig}"                                                                                                                        

                                                                                                                                                        

                                                                                                                                                        

function cleanup(){                                                                                                                                    

  if [ "$CMD" == "update" ];then                                                                                                                        

    if [ ! -e "$WORKDIR/CHECKSUMS.md5.copy" ];then

      touch $WORKDIR/CHECKSUMS.md5.copy

      touch $WORKDIR/CHECKSUMS.md5.log

      touch $WORKDIR/CHECKSUMS.md5

    fi

    if [ $WORKDIR/CHECKSUMS.md5 -nt $WORKDIR/CHECKSUMS.md5.copy ];then

      mv $WORKDIR/CHECKSUMS.md5.log $WORKDIR/CHECKSUMS.md5.log.old

      cat $WORKDIR/CHECKSUMS.md5 |grep "\.t.z$"|sort -k2 >$WORKDIR/CHECKSUMS.md5.tmp

      date > $WORKDIR/CHECKSUMS.md5.log

      echo "----------------------------------" >> $WORKDIR/CHECKSUMS.md5.log

      diff $WORKDIR/CHECKSUMS.md5.copy $WORKDIR/CHECKSUMS.md5.tmp |grep -e "^>" -e "^<"| sed -e 's/^>/Added:/' -e 's/^</Removed:/' >> $WORKDIR/CHECKSUMS.md5.log

      if ! tail -1 $WORKDIR/CHECKSUMS.md5.log|grep -q -- --------- ;then

        echo "==================================" >> $WORKDIR/CHECKSUMS.md5.log

      else

        >$WORKDIR/CHECKSUMS.md5.log

      fi

      cat $WORKDIR/CHECKSUMS.md5.log.old >> $WORKDIR/CHECKSUMS.md5.log

      rm $WORKDIR/CHECKSUMS.md5.log.old 

      mv $WORKDIR/CHECKSUMS.md5.tmp $WORKDIR/CHECKSUMS.md5.copy

    fi

  fi

  cleanup_orig

}

I'm seeing some weird slackpkg+ response, with "grep:write error" and "grep: write error: Broken pipe" when attempting to install-new or upgrade-all if nothing is found. Then eventually when a package is found to install or upgrade the ncurses screen is appearing. Do I need to again revert to -3mt? Is anyone else seeing this behavior? I'm running Slackware 64 v14.1 with Multilib and KTOWN. Thanks

I did not see this with install-new, but I do have 2 options for upgrade that I won't upgrade. One is a MPlayer that I custom built, the other is an older ffmpeg for the custom MPlayer.

@bamunds
Please run
bash -x slackpkg install-new
and attach the output