Summary: | Allow signature verification of portage tree for offline systems | ||
---|---|---|---|
Product: | Portage Development | Reporter: | Nikolay <nikolay.p> |
Component: | Unclassified | Assignee: | Portage team <dev-portage> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | esigra, leonchik1976 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 240187 |
Description
Nikolay
2019-08-07 22:57:18 UTC
Related forum threads: https://forums.gentoo.org/viewtopic-t-1100320.html https://forums.gentoo.org/viewtopic-p-8228304.html I had the same problem - isolated environments that worked for years until the emerge-webrsync + webrsync-gpg -> emerge --sync + sync-webrsync-verify-signature change. In my case I control the proxy so was able to allow the Gentoo keyservers. In your case, I wonder, as a workaround could you fake things out by setting up an internal webserver and use internal DNS or /etc/hosts records to direct your internal systems there to fetch key "updates"? (I don't know if gemato will be too smart to be fooled by that, if you'd have to stuff your own CA cert in place, etc.) If/when you do get past that, watch out for https://bugs.gentoo.org/691434 as well: emerge-webrsync in a cron job picks up proxy settings just fine, but emerge --sync does not; workaround in that bug report. (In reply to Nikolay from comment #0) > An offline Gentoo installation seem to be unable to use the tree > verification security feature. The portage is synced with webrsync via HTTP > proxy (no Internet access). > > Up until last update of the portage that method worked. > > After last update the emerge --sync is trying to refresh keys via WKD and > fails because the system is offline. If you can sync via HTTP proxy, then hopefully the WKD key refresh can use the same HTTP proxy. > Would it be possible to allow such offline Gentoo systems to successfully > sync the tree and verify the signature without trying to refresh the keys > from the keyserver? > > Turning off the verification process compromises security. Skipping the key refresh also compromises security, since the "trusted" key may have been revoked without your knowledge. We do not want to provide you with a false sense of security, since that is equivalent to a security vulnerability. (In reply to Zac Medico from comment #3) > > If you can sync via HTTP proxy, then hopefully the WKD key refresh can use > the same HTTP proxy. This will work if key refresh process does not involve use of HTTPS. This is an HTTP-only white-list proxy. Unfortunately it is outside of my control. > > Skipping the key refresh also compromises security, since the "trusted" key > may have been revoked without your knowledge. We do not want to provide you > with a false sense of security, since that is equivalent to a security > vulnerability. I agree. However, there can be an option that needs to be explicitly enabled for this. I thought this would be in Gentoo's spirit to allow full customization of the system for those who understand the risk involved. Key revocation can be announced on the maillist the same way GLSA do get announced. For emerge-webrsync which is performed once in 24 hours this could provide sufficient level of security. If I understand correctly, even when key refresh happens every time when emerge --sync is invoked there still exist a chance that an attacker would compromise the key and introduce malicious content into the portage which will propagate to some users before Gentoo dev team will revoke the key. Sure, we can add a repos.conf setting to skip the key refresh, as long as the documentation includes a sufficient warning about the security implications with respect to key revocation. (In reply to Nikolay from comment #0) > An offline Gentoo installation seem to be unable to use the tree > verification security feature. The portage is synced with webrsync via HTTP > proxy (no Internet access). > > Up until last update of the portage that method worked. > > After last update the emerge --sync is trying to refresh keys via WKD and > fails because the system is offline. > > Would it be possible to allow such offline Gentoo systems to successfully > sync the tree and verify the signature without trying to refresh the keys > from the keyserver? > > Turning off the verification process compromises security. Just FYI, qmanifest from >=portage-utils-0.80* can verify your tree separately, it doesn't do key-refresh, so you'll have to ensure it is up-to-date yourself. (If it can't verify the signature, it continues nevertheless to tell you whether your tree apart from the signature is fine). |