View previous topic :: View next topic |
Author |
Message |
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Thu Feb 23, 2017 7:15 am Post subject: Validated Gentoo repository snapshots |
|
|
Hi, I'm testing #Validated_Gentoo_repository_snapshots, added the key to trusted, but I still get
Code: | Checking signature ...
gpg: Signature made Do 23 Feb 2017 01:51:47 CET
gpg: using RSA key EC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F DF1C EC59 0EEA C918 9250
Getting snapshot timestamp ...
Syncing local tree ... |
Then why is the sync done at all if not trusted?
I doesn't matter which trust decision I set, even if I don't trust, the sync is always done:
Code: | # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --edit-key 0xDB6B8C1F96D8BF6D trust
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/DB6B8C1F96D8BF6D
created: 2011-11-25 expires: 2018-07-01 usage: C
trust: never validity: unknown
sub rsa4096/EC590EEAC9189250
created: 2011-11-25 expires: 2018-07-01 usage: S
[ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key)
pub rsa4096/DB6B8C1F96D8BF6D
created: 2011-11-25 expires: 2018-07-01 usage: C
trust: never validity: unknown
sub rsa4096/EC590EEAC9189250
created: 2011-11-25 expires: 2018-07-01 usage: S
[ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key)
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 2
pub rsa4096/DB6B8C1F96D8BF6D
created: 2011-11-25 expires: 2018-07-01 usage: C
trust: never validity: unknown
sub rsa4096/EC590EEAC9189250
created: 2011-11-25 expires: 2018-07-01 usage: S
[ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key) |
Code: | # rm -f /usr/portage/metadata/timestamp.x
removed '/usr/portage/metadata/timestamp.x'
# emaint sync --repo gentoo
>>> Syncing repository 'gentoo' into '/usr/portage'...
Fetching most recent snapshot ...
Trying to retrieve 20170222 snapshot from http://ftp.halifax.rwth-aachen.de/gentoo ...
Fetching file portage-20170222.tar.xz.md5sum ...
Fetching file portage-20170222.tar.xz.gpgsig ...
Fetching file portage-20170222.tar.xz ...
Checking digest ...
Checking signature ...
gpg: Signature made Do 23 Feb 2017 01:51:47 CET
gpg: using RSA key EC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F DF1C EC59 0EEA C918 9250
Getting snapshot timestamp ...
Syncing local tree ... |
I often thought about how easy it could be to get infected by malware if the repository is hijacked. Moving all portage repos to github the security is even concentrated on that 3rd party service. So signing the snapshots is the right way. It is still unclear what quality assurance it performed for a signature. If developers are just pushing and pulling with the github repo as central point, then the daily signature would easily validate such malware as well.
Checksumming the single packages is one level, but a hijacked portage tree would link to a valid checksummed malware repository. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
shrike Apprentice
Joined: 20 Feb 2004 Posts: 187 Location: Closer to home
|
Posted: Thu Feb 23, 2017 3:37 pm Post subject: |
|
|
Quote: |
I often thought about how easy it could be to get infected by malware if the repository is hijacked. Moving all portage repos to github the security is even concentrated on that 3rd party service. So signing the snapshots is the right way. It is still unclear what quality assurance it performed for a signature. If developers are just pushing and pulling with the github repo as central point, then the daily signature would easily validate such malware as well.
Checksumming the single packages is one level, but a hijacked portage tree would link to a valid checksummed malware repository.
|
Agreed!
There is an open portage bug (https://bugs.gentoo.org/show_bug.cgi?id=597918) concerning the 'validated snapshots' feature but I don't know if this is what's causing your problem Massimo B.
Thanks for bringing this feature to my attn.
shrike |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Fri Feb 24, 2017 8:18 am Post subject: |
|
|
I was also pleased to get to know this security feature.
The bug seems to be about an easier key management using gkeys. Establishing trust manually should already work. But I wonder that switching the trust does not make any difference as shown in my example. Maybe I'm doing it wrong. I'd like to see a sync WARNING and early EXIT if the signature has failed. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Fri Feb 24, 2017 8:24 am Post subject: |
|
|
When talking about the Portage security in general:
The portage tree snapshot is secured by GPG key of 4096-bit RSA.
What about the files downloaded? Those are all checksummed via the Manifest file. Looking there I see for every downloaded file of all ebuilds available on that package some Filesize+SHA256+SHA512+WHIRLPOOL hash. Which of those is checked? All or configuration related? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Feb 24, 2017 10:34 pm Post subject: |
|
|
Yes those are all checked by default, see man 5 portage -> "manifest-hashes". |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9608 Location: beyond the rim
|
Posted: Tue Feb 28, 2017 8:01 am Post subject: |
|
|
By default all hashes are checked for all files. It's possible though to only require one valid hash for purely descriptive files (e.g. metadata.xml or changelogs) by changing the strict-misc-digests property of a repository. |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Wed Mar 22, 2017 6:21 am Post subject: |
|
|
shrike wrote: | Thanks for bringing this feature to my attn. | For those interested in overlays I found these options in /etc/layman/layman.cfg: gpg_signed_lists, gpg_detached_lists
The official list is not signed and I have never seen an overlay list using that. Are there more official or inofficial overlay lists beside the layman-owned out there? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Fri Mar 24, 2017 7:08 am Post subject: |
|
|
So again, shouldn't this warning stop the sync actually? How can verify the ownership with a trusted signature?
Code: | Fetching file portage-20170323.tar.xz.md5sum ...
Fetching file portage-20170323.tar.xz.gpgsig ...
Fetching file portage-20170323.tar.xz ...
Checking digest ...
Checking signature ...
gpg: Signature made Fr 24 Mär 2017 01:51:49 CET
gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F DF1C EC59 0EEA C918 9250
Getting snapshot timestamp ...
Syncing local tree ... |
_________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
shrike Apprentice
Joined: 20 Feb 2004 Posts: 187 Location: Closer to home
|
Posted: Fri Mar 24, 2017 12:12 pm Post subject: |
|
|
Massimo B.,
I believe this is normal gpg behavior having to do with 'web of trust'. As I understand it you need to sign the key of a 'trusted' person using your key, then there would be no warning.
https://www.kernel.org/category/signatures.html
shrike |
|
Back to top |
|
|
tholin Apprentice
Joined: 04 Oct 2008 Posts: 204
|
Posted: Fri Mar 24, 2017 12:27 pm Post subject: Re: Validated Gentoo repository snapshots |
|
|
Massimo B. wrote: |
Then why is the sync done at all if not trusted?
I doesn't matter which trust decision I set, even if I don't trust, the sync is always done:
|
emerge-webrsync just calls the gpg executable directly and check the return value. Gpg will only return an error if the signature doesn't match. Even if the signature is untrusted or the signature has expired the return value will still indicate success. The gpg manual recommends that gpgme should be used instead of calling gpg directly the way emerge-webrsync does.
https://www.gnupg.org/documentation/manuals/gnupg/Programmatic-use-of-GnuPG.html#Programmatic-use-of-GnuPG |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Fri Mar 24, 2017 1:28 pm Post subject: |
|
|
So you say this is worth a bug report? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
tholin Apprentice
Joined: 04 Oct 2008 Posts: 204
|
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Fri Jan 12, 2018 12:12 pm Post subject: |
|
|
Looking again after the GPG snapshots...
Current emerge --sync returns: Code: | Checking signature ...
gpg: Signature made Fr 12 Jan 2018 01:51:27 CET
gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F DF1C EC59 0EEA C918 9250
Getting snapshot timestamp ...
Syncing local tree ... |
While the current keys of app-crypt/gentoo-keys-201607021514-r2 does not have this signature: Code: | # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --list-keys --keyid-format LONG
gpg: checking the trustdb
gpg: no ultimately trusted keys found
/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
---------------------------------------------------------
pub rsa4096/825533CBF6CD6C97 2014-10-03 [C] [expired: 2017-09-17]
D2DE1DBBA0F43EBA341B97D8825533CBF6CD6C97
uid [ expired] Gentoo-keys Team <gkeys@gentoo.org>
pub dsa1024/9E6438C817072058 2004-07-20 [SC] [expires: 2018-07-01]
D99EAC7379A850BCE47DA5F29E6438C817072058
uid [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>
sub elg2048/0403710E1415B4ED 2004-07-20 [E] [expires: 2018-07-01]
pub rsa4096/DB6B8C1F96D8BF6D 2011-11-25 [C] [expires: 2018-07-01]
DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
uid [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)
sub rsa4096/EC590EEAC9189250 2011-11-25 [S] [expires: 2018-07-01]
pub rsa4096/BB572E0E2D182910 2009-08-25 [SC] [expired: 2017-08-25]
13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
uid [ expired] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> |
Is the gentoo-keys ebuild not well maintained? Should I just add that signature to my trusted keyring? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
charles17 Advocate
Joined: 02 Mar 2008 Posts: 3684
|
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1845
|
Posted: Fri Jan 12, 2018 6:06 pm Post subject: |
|
|
I use emerge-webrsync and I had this in my notes around updating the keys: Code: | gpg --homedir=/etc/portage/gpg --refresh-keys | Seems to do the trick.
Tom |
|
Back to top |
|
|
charles17 Advocate
Joined: 02 Mar 2008 Posts: 3684
|
Posted: Sat Jan 13, 2018 6:19 am Post subject: |
|
|
tld wrote: | I use emerge-webrsync and I had this in my notes around updating the keys: Code: | gpg --homedir=/etc/portage/gpg --refresh-keys | Seems to do the trick |
The Handbook article explicitly mentions --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release |
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1845
|
Posted: Sat Jan 13, 2018 4:01 pm Post subject: |
|
|
charles17 wrote: | tld wrote: | I use emerge-webrsync and I had this in my notes around updating the keys: Code: | gpg --homedir=/etc/portage/gpg --refresh-keys | Seems to do the trick |
The Handbook article explicitly mentions --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release |
Interesting. In my case what i'm doing is correct because I have this in make.conf:
Code: | PORTAGE_GPG_DIR="/etc/portage/gpg" | I know I didn't proactively decide on that, so I think it may have been the suggested location at one time.
Tom |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Wed Jan 17, 2018 2:01 pm Post subject: |
|
|
Isn't updating /var/lib/gentoo/gkeys/keyrings/gentoo/release the job of the app-crypt/gentoo-keys package itself? Or does signing the tree with keys coming from the tree violate the trust chain in general?
I tried updating: Code: | # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys --keyserver-options http-proxy="http://gateway:8080"
gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
gpg: key BB572E0E2D182910: 7 signatures not checked due to missing keys
gpg: key BB572E0E2D182910: 1 bad signature
gpg: key BB572E0E2D182910: "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" 5 new signatures
gpg: key DB6B8C1F96D8BF6D: 11 signatures not checked due to missing keys
gpg: key DB6B8C1F96D8BF6D: "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" 4 new signatures
gpg: key 9E6438C817072058: 80 signatures not checked due to missing keys
gpg: key 9E6438C817072058: "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>" 3 new signatures
gpg: key 825533CBF6CD6C97: 2 signatures not checked due to missing keys
gpg: key 825533CBF6CD6C97: "Gentoo-keys Team <gkeys@gentoo.org>" 3 new signatures
gpg: key 825533CBF6CD6C97: "Gentoo-keys Team <gkeys@gentoo.org>" 1 new subkey
gpg: Total number processed: 4
gpg: new subkeys: 1
gpg: new signatures: 15
gpg: no ultimately trusted keys found |
It has updated something. I tried syncing the tree again to see if the warning have disappeared: Code: | Checking signature ...
gpg: Signature made Mi 17 Jan 2018 01:51:39 CET
gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F DF1C EC59 0EEA C918 9250
Getting snapshot timestamp ...
Syncing local tree ...
| No, still the same issue.
But still the question, in the case when the tree was untrusted due to invalid keys, why did portage continue the sync and did not fail with a big warning? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Last edited by Massimo B. on Mon Feb 05, 2018 7:02 am; edited 1 time in total |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Wed Jan 31, 2018 8:26 am Post subject: |
|
|
Massimo B. wrote: | Code: | Checking signature ...
gpg: WARNING: This key is not certified with a trusted signature! | No, still the same issue. |
No idea?
People start to understand the necessity of trusted snapshots regarding the latest eselect news: 2018-01-30-portage-rsync-verification
This does not apply to me yet as I moved to sync-type = git for proxy environments and now even back to old sync-type = webrsync just because of the #Validated_Gentoo_repository_snapshots. Will that be obsolete due to the new signing method app-portage/gemato? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Thu Feb 01, 2018 1:17 am Post subject: |
|
|
Not quite. If a webrsync-gpg validation fails, it aborts the sync and you stay on the old version. If rsync validation fails, you get a warning but you get to keep the pieces, and portage won't tell you again. |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Thu Feb 01, 2018 8:13 am Post subject: |
|
|
This would mean the new rsync validation is less secure. Why don't they abort the sync as well, because the validation can only be done when all is already synced? They could at least tell portage to block any update, but even then you can't get the old valid snapshot of the tree back.
I'm still lost why I can't add the GPG keys to trusted and why the untrusted does only warn but not abort. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
b52_ n00b
Joined: 14 Nov 2003 Posts: 51 Location: Germany
|
Posted: Sun Feb 04, 2018 4:41 pm Post subject: |
|
|
Hi Massimo,
I had the same issue in the past and was able to solve it with gpg onboard tools..
Quote: | Code: | gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
|
|
..means, this is a GOOD trusted key, everything all right because you decided to trust it, probably because you checked the keyid and it was the id written on the gentoo website. Thus not an error.
Quote: | Code: | gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
|
|
..tells you, well even if you trust that key, it could be from anybody, claiming to be gentoo. This is a Warning, not an error. In weboftrust you need signatures on user ids to prove yours or someones identity.
You can either ignore this warning or simply solve this by signing the gentoo ids with your local key.
First create a local key with
Code: | gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --full-generate-key |
and then (local) sign the gentoo ids with
Code: | gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --edit-key <KEYID> lsign |
I read somewhere that you could alternatively trust the gentoo-keys ultimately (5). But I didn't try it.
b52 _________________ May the source be with you! |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1810 Location: PB, Germany
|
Posted: Mon Feb 05, 2018 7:05 am Post subject: |
|
|
Thanks, that worked, got rid of the warning and have learned about local signing.
But I still wonder about, what I have described in my first comment: If I make that gentoo signature untrusted, then the webrsync still goes on. Shouldn't it stop if the signature is not trusted? This would be the most important about signed snapshots. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
charles17 Advocate
Joined: 02 Mar 2008 Posts: 3684
|
Posted: Tue Feb 06, 2018 6:32 am Post subject: |
|
|
Massimo B. wrote: | ... Shouldn't it stop if the signature is not trusted? ... |
IMHO it should. Or better have a customizable (abort / proceed) behavior.
The new rsync tree verification also would not stop |
|
Back to top |
|
|
|