Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 472594 - Checking upstream gpg signatures for distfiles
Summary: Checking upstream gpg signatures for distfiles
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Enhancement/Feature Requests (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords:
: 598589 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-06-07 15:21 UTC by Franz Schrober
Modified: 2022-03-16 01:08 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Franz Schrober 2013-06-07 15:21:44 UTC
I scanned quickly over GLEP 57-61 and noticed that it only tackles the gentoo inner security and doesn't deal with the upstream -> gentoo process (aka. gentoo dev preparing the ebuild and in this process generating the strong hashes). It seems to be a good idea to provide an easy way to check for the gentoo dev whether his upstream provided a tarball with verified authenticity and integrity.

Problem is that from time to time some of the upstream tarball distribution servers are compromised and files are replaced with slightly modified versions which contain backdoors. Without an easy strategy, such attacks might be undetected by the Gentoo dev and therefore get inserted in the gentoo mirror system and from there into the user system.

Here is a bug report which should explain the strategy from Debian and Ubuntu (first one is a too complex one which was replaced with an easier approach that is now implemented): http://bugs.debian.org/610712
Comment 1 Franz Schrober 2013-06-07 15:47:43 UTC
Here are some infos from the Arch people:

http://allanmcrae.com/2012/04/how-secure-is-the-source-code/
Comment 2 Franz Schrober 2013-06-07 17:48:33 UTC
Here are some bits from the OpenSUSe guys http://lists.opensuse.org/opensuse-factory/2012-12/msg00235.html
Comment 3 Zac Medico gentoo-dev 2013-06-08 21:10:22 UTC
We can store the upstream key information in package's metadata.xml file.
Comment 4 Ulrich Müller gentoo-dev 2016-10-30 22:07:48 UTC
*** Bug 598589 has been marked as a duplicate of this bug. ***
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-11-22 18:35:31 UTC
(In reply to Zac Medico from comment #3)
> We can store the upstream key information in package's metadata.xml file.

Isn't this responsibility of package maintainers to check when updating package to begin with rather than something that should be implemented technically? Keys change, method of verification can differ between packages (signed text document containing SHA256 sum vs detached signature vs inline binary signature etc)

Any technical solution to this is likely more complex than necessary for what should be checked to begin with.
Comment 6 Zac Medico gentoo-dev 2016-11-22 19:41:47 UTC
(In reply to Kristian Fiskerstrand from comment #5)
> Any technical solution to this is likely more complex than necessary for
> what should be checked to begin with.

Yeah, maybe if there was some sort of cross-distro verification standard available. It seems like it would require a lot of cooperation with upstream projects it order to be really practical. It would be interesting to see statistics on actually provide signatures for their release files.
Comment 7 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-11-22 20:50:48 UTC
(In reply to Zac Medico from comment #6)
> (In reply to Kristian Fiskerstrand from comment #5)
> > Any technical solution to this is likely more complex than necessary for
> > what should be checked to begin with.
> 
> Yeah, maybe if there was some sort of cross-distro verification standard
> available. It seems like it would require a lot of cooperation with upstream
> projects it order to be really practical. It would be interesting to see
> statistics on actually provide signatures for their release files.

Might make sense to document a preference in devmanual, but sadly quite a few projects do not provide OpenPGP signatures, and plenty of devs do not properly validate keys used for the signatures rendering it a bit moot to begin with. But I believe it is a social issue and not a technical one.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-16 01:08:34 UTC
I think this is essentially done with the verify-sig eclass.