Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 856928 - Hardened profiles: Add verify-sig useflag
Summary: Hardened profiles: Add verify-sig useflag
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Profiles (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-07 19:36 UTC by David Sardari
Modified: 2024-02-17 21:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Sardari 2022-07-07 19:36:46 UTC 
IMHO, the verify-sig useflag should get added to the hardened profiles.

Reproducible: Always
Comment 1 Mike Gilbert gentoo-dev 2022-07-09 20:08:24 UTC 
The verify-sig USE flag is meant for developers to verify signatures when they add a new ebuild to the repo. Once the file is in the Manifest, signature verification is mostly pointless overhead.

Regardless, this really has nothing to do with "hardening" a system.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-08 21:05:39 UTC 
I'm fine with adding it even though it's not strictly necessary, as it could help catch a (small class of) developer errors.
Comment 3 emdee_is 2022-08-17 15:00:28 UTC 
I strongly disagree that has nothing to do with "hardening" a system.
For things like the kernel or firmware, security conscious installations may require signature verification, no matter what the package manager is. Gentoo's support of key verification is a big plus, not just overhead.

verify-sig useflag should get added to the hardened profiles, as it doesn't impose much overhead relative to say compiling a kernel,  and not only could help catch a class of developer errors, it may help catch MITM corruption.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-17 15:04:54 UTC 
(In reply to emdee_is from comment #3)
> I strongly disagree that has nothing to do with "hardening" a system.
> For things like the kernel or firmware, security conscious installations may
> require signature verification, no matter what the package manager is.
> Gentoo's support of key verification is a big plus, not just overhead.
> 
> verify-sig useflag should get added to the hardened profiles, as it doesn't
> impose much overhead relative to say compiling a kernel,  and not only could
> help catch a class of developer errors, it may help catch MITM corruption.

It doesn't make any difference to MITM outside of developer error in the first instance?
Comment 5 Jory A. Pratt gentoo-dev 2022-08-18 00:07:09 UTC 
(In reply to Sam James from comment #2)
> I'm fine with adding it even though it's not strictly necessary, as it could
> help catch a (small class of) developer errors.

Terrible ideal, this should be enabled by developers and those few users who want to request such support. This is just more cruft that many users will turn off increasing useflag cruft in make.conf.
Comment 6 A. Wilcox (awilfox) 2024-02-17 21:20:00 UTC 
I'd like to add my rationale for wanting this to be default in hardened:

When I use the hardened profile, it's because I've analysed that the threat model for the system in question is elevated enough that it requires additional defenses.  Verifying the PGP signatures of the incoming tarballs adds defense-in-depth against a supply chain attack.  While I appreciate that sha512 and blake2 are hard to collide (especially together), tech continues to advance all the time.  Having another way to attest that the incoming source is the intended source is, IMO, quite valuable.