Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Curt Sampson <cjs@cynic.net>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-security
Date: 07/22/2005 10:44:24
In message <Pine.NEB.4.62.0507221900560.15423@angelic.cynic.net>, Curt Sampson 
writes:
>On Fri, 22 Jul 2005, Hubert Feyrer wrote:
>
>> In the process of creating the +CONTENTS file from the PLIST (in pkg_create)
> 
>> we calculate MD5 checksums of all files right now, so that may be a possible
> 
>> point to add that signing.
>
>We should be using better hashes than MD5, these days. But yes, possibly
>just signing the +CONTENTS file would do the trick. On the other hand,
>it might be nice to have a generic way of signing archives--I've put in
>a use case for that.

If the hash is only being used to identify changed files for 
pkg_delete, MD5 is fine.  For security, you're quite right.
>
>> I think there's a difference if you sign every file in an archive, or the 
>> archive as a whole, and as such I'm not sure this approach is good enough.
>
>Well, let's do a security analysis of it. It would be nice to avoid
>having to ship around two separate files all the time.
>

Two issues occur to me.  First, what if there are extra files in the 
archive?  The contents list has to be defined to be complete.  Second, 
what about duplicate entries in the archive and contents file?  The 
semantics of that need to be defined and enforced.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb