FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Pacman Development

 
 
LinkBack Thread Tools
 
Old 03-03-2012, 02:25 PM
Pierre Schmitz
 
Default Why need keyrings to be signed?

Hi all,

while working on our keyring package again I am still stuck at this
question. pacman-key --populate checks if the files to import are
signed. The man page tell us:

This prevents a potentially malicious repository
adding keys to the pacman keyring without the users knowledge.

But I don't get the reasoning here at all. If I install a malicious
package, it's install function is run as root and can do anything;
including bypassing the --populate function and call gpg directly. If I
miss anything here please let me know as I couldn't find out.

Removing this check would safe me from reinventing the wheel and I
don't have to create a script which does exactly what --populate does
but without the check. This check prevents us from a simple bootstrap;
and we gain no improved security if we let the user do it manually.
(think about what a malicious package would do)

In details this means removing the call to verify_keyring_input in
pacman-key and then remove the now unused functions verify_keyring_input
and validate_with_gpg.

Greetings,

Pierre

--
Pierre Schmitz, http://pierre-schmitz.com
 
Old 03-04-2012, 04:06 AM
Allan McRae
 
Default Why need keyrings to be signed?

On 04/03/12 01:25, Pierre Schmitz wrote:
> Hi all,
>
> while working on our keyring package again I am still stuck at this
> question. pacman-key --populate checks if the files to import are
> signed. The man page tell us:
>
> This prevents a potentially malicious repository
> adding keys to the pacman keyring without the users knowledge.
>
> But I don't get the reasoning here at all. If I install a malicious
> package, it's install function is run as root and can do anything;
> including bypassing the --populate function and call gpg directly. If I
> miss anything here please let me know as I couldn't find out.
>
> Removing this check would safe me from reinventing the wheel and I
> don't have to create a script which does exactly what --populate does
> but without the check. This check prevents us from a simple bootstrap;
> and we gain no improved security if we let the user do it manually.
> (think about what a malicious package would do)
>
> In details this means removing the call to verify_keyring_input in
> pacman-key and then remove the now unused functions verify_keyring_input
> and validate_with_gpg.


I can not think of a situation where you could edit the keyring files
but not access the pacman keyring directly... Unless someone else can
think of a good reason to keep this, I would agree to removing that
requirement.

Allan
 

Thread Tools




All times are GMT. The time now is 09:37 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org