Bug 587486

Summary:	Provide installation files with attached GPG signature and make them default in the handbook
Product:	Gentoo Release Media	Reporter:	terabit.funtoo
Component:	Everything	Assignee:	Gentoo Release Team <releng>
Status:	RESOLVED FIXED
Severity:	enhancement	CC:	bruce
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description terabit.funtoo 2016-06-29 08:08:28 UTC

Hi,

Currently the gentoo installation procedure pertains downloading a livecd (optionally), a stage3 and the portage tarball (or use webrsync).

In order to verify these, users have to download a separate detached signature file (.asc) , verify the '.asc' file and cross check the hash in the '.asc' file with the downloaded file (e.g.: sha512sum -c ....).

GPG lets users create a signed file (plain --sign option) where users have to decrypt it with the public key of the signer in order to use it. 

My suggestion is to have mirrors host a gpg signed installation livecd, stage3 and portage tarball, and have the gentoo handbook instructions instruct users to import release signing keys and decrypt their download before they can start using the downloaded files.

Example:

---------------
Bob@host ~/gpgtst $ ls -lah
drwxr-xr-x  2 Bob Bob   69 Jun 29 10:40 .
drwx------ 80 Bob Bob  16K Jun 29 10:05 ..
-rw-r--r--  1 Bob Bob 700M Jun 29 10:38 livecd.iso

Bob@host ~/gpgtst $ sha512sum livecd.iso 
d446d3e2b8d8e19463c54bc1fc6f142435eee483b06dcc1cbdd25a07f893d8e90b2a9144e68564ef59aa97d9da022ff0410ce3b29b4098f46e6c0a76254b1709  livecd.iso
Bob@host ~/gpgtst $ time gpg --sign livecd.iso 

real    0m17.806s
user    0m13.021s
sys     0m1.236s


Bob@host ~/gpgtst $ ls
livecd.iso  livecd.iso.gpg
Bob@host ~/gpgtst $ time gpg --out install-livecd.iso --decrypt livecd.iso.gpg 
gpg: Signature made Wed 29 Jun 2016 10:39:46 AM  using RSA key ID 44F5B547
gpg: Good signature from "Bob-Host (GPG key for Bob used for encrypting FDE keys among other things) <Bob@host>" [ultimate]

real    0m9.596s
user    0m6.868s
sys     0m0.705s
Bob@host ~/gpgtst $ sha512sum install-livecd.iso 
d446d3e2b8d8e19463c54bc1fc6f142435eee483b06dcc1cbdd25a07f893d8e90b2a9144e68564ef59aa97d9da022ff0410ce3b29b4098f46e6c0a76254b1709  install-livecd.iso
Bob@host ~/gpgtst $ 
---------------------------------

It takes 17s to sign the .iso file and 9 seconds to decrypt it (inside a VM too!).

There are two obvious facts:

1) most users don't verify hashes or bother with gpg verification
2) users would use gpg if it was the default method and it did not involve burdensome steps to use it.

Not having a detached signature would mean users *have to* decrypt the downloaded signed file before using it, this is a simple two step procedure.

1) Import PGP public keys used to sign the files(manually 'copy-paste' the correct fingerprint from the gentoo installation handbook for this step)
2) Decrypt the downloaded .gpg file (as shown above,just run gpg --output file --decrypt file.gpg)

I am not suggesting to stop the use of detached .asc/digest files, or to stop mirrors from hosting plain installation files. my suggestion is to have this option and make it a default. 

If this is done, I am confident most users will be using verified gentoo installations. this will increase security for everyone. 

Per irc discussion in #gentoo-chat, this could be used also for ebuilds and tarballs with portage, it will only require the signing keys to be imported once  during the installation/setup of the OS. 

Thanks in advance for considering this request.

Comment 1 sn0wmonster 2016-07-02 02:43:14 UTC

This should be standard in all distros and it's shocking that it's not. Please fix this.

Comment 2 Andreas K. Hüttel archtester

2022-04-09 16:27:38 UTC

The files now have a direct detached signature. 

Which means that
* they still can be used without resorting to gpg
* the verification is as easy as the "decryption" step you mention

gpg --verify install.....asc

I'd say this is fixed.

Comment 3 Thibaud CANALE 2022-04-20 20:15:04 UTC

(In reply to Andreas K. Hüttel from comment #2)
> The files now have a direct detached signature. 
> 
> Which means that
> * they still can be used without resorting to gpg
> * the verification is as easy as the "decryption" step you mention
> 
> gpg --verify install.....asc
> 
> I'd say this is fixed.

Hello Andreas,

(Note: sorry if I explain something you already know, it’s just to provide technical arguments for my request)

The current detached signatures available on the mirrors for stage3 and ISO are signing the whole file instead of their respective DIGESTS files.

A better approach would to sign those DIGESTS files (both could be okay). This allows to download only the DIGESTS and its signature on a reliable system (small files), and only the archive (big file) and its DIGESTS only on the target machine.
Then, you verify the content of the DIGESTS file on your reliable system thanks to the GPG signature, and on the target system, you only need to check the checksum of the archive.

Currently, because there is no signed DIGESTS, this takes more time to verify it, specially on the reliable system:
In current situation, we also need to download the archive, its DIGESTS and its signature files. Then, we verify the whole archive with its signature -- which takes way more time than a small file such as the DIGESTS --, check now the checksum(s) -- so second (or more) reads of the whole archive -- to decided if the file is verbatim.

All these recent modifications make the current handbook outdated, as I raised through discussion
https://wiki.gentoo.org/wiki/Handbook_Talk:AMD64/Installation/Stage#Updates_accordingly_the_signature_verification_process

I will be really glad to see such a reliable process. I might make some errors, and will be happy to understand them.

Best regards,

Comment 4 Thibaud CANALE 2022-04-20 20:29:10 UTC

(In reply to Thibaud "thican" CANALE from comment #3)
../..
> Hello Andreas,
../.. 
> Best regards,

Thanks to your answer on IRC, I made me notice the DIGESTS files are already inline signed. I like this solution, and its also very reliable.

Thanks for your support.