Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Todd Vierling <tv@duh.org>
From: Curt Sampson <cjs@cynic.net>
List: tech-security
Date: 07/26/2005 03:48:41
On Mon, 25 Jul 2005, Todd Vierling wrote:
> If a package signature were placed as the first entry in the tarball, it
> should be possible using a tar library (do we do this yet?) to verify while
> extracting, and simply stop dead and nuke any extracted files if an
> unverifiable entry is encountered in the stream.
There are two issues I see with this, though I don't know if they're
important enough that we want to give up "single-pass" functionality.
1. If we extract, then nuke when we discover an error, we wipe out
any files that existed before we started the extraction.
2. Creating a signed archive can't be done with an append operation
on an existing archive. Though now that I think about it, since you
could just write a new signed archive (except, ironically enough,
not if the input is streamed to you), this is probably no big deal
at all.
Come to think of it, if we're going to nuke anyway, we have to remember
what to nuke, so doing the checks at the end (assuming we know in
advance what hash scheme(s) we're going to encounter at the end) is also
potentially possible.
I wonder what the consequences are of allowing the signature file to be
either at the head or the tail? Increased complexity, for a start, which
is certainly one blow against it.
What I suppose I'm liking best at this point, in terms of simplicity, is:
1. In a "generic signed archive," the first file in the archive is a
list of hashes for all of the following files, in order. More than
one hash may be provided for each file. This file will be signed,
with a copy of the signing key included in it. (This latter point
is so that the file can act as, essentially, a strong hash of the
archive even if the certificate can't be trusted--this protects
against accidental corruptions.)
2. It is an error for files to be in the archive but not in the
signed list of hashes.
3. The first file will have a defined name, as well as an easily
recognisable format. If the first file in an archive has that name
but is not in a recognisable format, or does not have a valid
signature, the archive will be declared to be corrupt.
It seems to me that this could work for tar, cpio, pax, ZIP, whatever.
Is there anything it's missing that pkgsrc would need? (I don't see the
need for hashes for files created by scripts in the archive, since those
scripts will be verified with hashes.)
cjs
--
Curt Sampson <cjs@cynic.net> +81 90 7737 2974 http://www.NetBSD.org
Make up enjoying your city life...produced by BIC CAMERA