[haiku-development] Re: Design for signed packages
- From: Urias McCullough <umccullough@xxxxxxxxx>
- To: haiku-development@xxxxxxxxxxxxx
- Date: Fri, 28 Mar 2014 14:12:01 -0700
On Fri, Mar 28, 2014 at 2:06 PM, Julian Harnath
<julian.harnath@xxxxxxxxxxxxxx> wrote:
> Urias McCullough <umccullough@xxxxxxxxx> schrieb:
>> I don't understand how that's significantly different from simply
>> maintaining hashes of all the binaries in our source control and
>> verifying them during download. There's really no need to sign them
>> assuming we trust devs who have commit access already.
>
> The advantage of signing over a simple hash is that it depends on the
> private key, which is well, private. An attacker who could gain access
> to our package repo server could simply exchange the binaries and change
> the hashes. It's also easy to do a man-in-the-middle attack, changing
> these things on the fly.
Yes, I understand - and I support the idea behind signing packages for
pure binary downloads - BUT, for building Haiku, we have a separate
location to store the hashes, which has controlled and
easily-monitored access - the Git repo.
I just think that we can solve Jonathan's concerns right away by
adding a list of hashes for each of our downloaded packages used at
build time in our Git repo and verifying them on download... whereas
adding a full signing mechanism will take longer.
> Both attack scenarios don't work with signing: without access to the
> private key (which needs to be guarded closely), the attacker cannot
> generate a valid signature. All he could do is exchange the package
> containing the public CA certs, so new installations could be
> compromised... but everyone doing an update on an older system would
> immediately notice that things are wrong.
Since we currently require SSH access to commit to Git, I don't see
how these signing keys will be any more likely to be "secured" at this
point.
Until we limit the ability for creation of "official" binary packages
to a small subset of developers, I don't see how it will greatly
improve anything.
In any case, I think we can immediately solve the concern of "someone
messing with the internet connection", or even "someone tampering with
the server" quite easily without introducing signed packages.
- Urias
Other related posts:
