FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 11-24-2009, 02:33 PM
Todd Zullinger
 
Default Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

Some of you might be aware that the instructions for verifying our
*-CHECKSUM files on Windows have been broken since we moved to SHA256.
Previously, we linked users to a sha1sum.exe built by the GnuPG
project. With SHA256, we don't have that ability.

Fortunately, the good folks working on MingW have made it possible for
us to build a sha256sum.exe from the coreutils sources. We can do
this in koji even. (A huge thanks to Richard Jones for his help and
patches.)

Much of this is discussed at https://bugzilla.redhat.com/527060.

I've created a simple mingw32-sha256sum package, built it in koji and
tested it on the lone Windows XP system I have readily available. Of
course, I just built this as a scratch build, so it will expire at
some point.

What I'm here for is to gather ideas for how to properly go about
building the mingw32-sha256sum and keeping it around so that when I
extract the sha256sum.exe and upload it to fedoraproject.org we will
have the koji built rpm to compare the binary against. Otherwise, the
whole process falls back to "Trust that Todd didn't trojan the
executable." And while I'd be flattered if folks had that much trust
in me, I think it would be unwise to encourage or expect.

(I really don't want to maintain the mingw32-sha256sum package for
Fedora, as it's just a quick and dirty hack to built a small subset of
of coreutils for Windows.)

Thoughts?

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Courage is not the absence of fear, but rather the judgment that
something else is more important than fear.
-- Ambrose Redmoon

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-24-2009, 03:25 PM
Jesse Keating
 
Default Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

On Tue, 2009-11-24 at 10:33 -0500, Todd Zullinger wrote:
> Some of you might be aware that the instructions for verifying our
> *-CHECKSUM files on Windows have been broken since we moved to SHA256.
> Previously, we linked users to a sha1sum.exe built by the GnuPG
> project. With SHA256, we don't have that ability.
>
> Fortunately, the good folks working on MingW have made it possible for
> us to build a sha256sum.exe from the coreutils sources. We can do
> this in koji even. (A huge thanks to Richard Jones for his help and
> patches.)
>
> Much of this is discussed at https://bugzilla.redhat.com/527060.
>
> I've created a simple mingw32-sha256sum package, built it in koji and
> tested it on the lone Windows XP system I have readily available. Of
> course, I just built this as a scratch build, so it will expire at
> some point.
>
> What I'm here for is to gather ideas for how to properly go about
> building the mingw32-sha256sum and keeping it around so that when I
> extract the sha256sum.exe and upload it to fedoraproject.org we will
> have the koji built rpm to compare the binary against. Otherwise, the
> whole process falls back to "Trust that Todd didn't trojan the
> executable." And while I'd be flattered if folks had that much trust
> in me, I think it would be unwise to encourage or expect.
>
> (I really don't want to maintain the mingw32-sha256sum package for
> Fedora, as it's just a quick and dirty hack to built a small subset of
> of coreutils for Windows.)
>
> Thoughts?

Well, if you have to use a tool from the project, to verify other bits
from the project, the verification just became a lot less trusted. If
you don't trust the bits you got from the project, why would you trust
the tool the project gives you to verify the bits? "Here use this tool
to verify our bits. Trust us, we swear!"

--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-24-2009, 03:46 PM
Jeroen van Meeuwen
 
Default Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

On 11/24/2009 05:25 PM, Jesse Keating wrote:
> On Tue, 2009-11-24 at 10:33 -0500, Todd Zullinger wrote:
>> (I really don't want to maintain the mingw32-sha256sum package for
>> Fedora, as it's just a quick and dirty hack to built a small subset of
>> of coreutils for Windows.)
>>
>> Thoughts?
>
> Well, if you have to use a tool from the project, to verify other bits
> from the project, the verification just became a lot less trusted. If
> you don't trust the bits you got from the project, why would you trust
> the tool the project gives you to verify the bits? "Here use this tool
> to verify our bits. Trust us, we swear!"
>

While this is completely true for, say winxpsp2.iso vs. m$-md5um.exe,
mind that the sources to sha256sum.exe are actually available and can be
verified on a completely verifiable stack one does already trust
(verifiable except for x86 CPU inaccuracy of course).

If not the transparency helps to boost the trustworthiness, or if that's
not trustworthy enough, then how does one verify a binary rpm actually
comes from the source that is shipped alongside with it, not to even
mention gnupg shipped by Fedora against RPMs shipped by Fedora.

Then, if trust was anything worth being concerned about why would you
even need a .exe in the first place? For all you know the OS itself
makes the .exe say OK or NOT OK in very, very arbitrary ways you can't
verify.

The goal is, of course, to verify the .iso against what is listed as
it's sha256sum. Whether the tools ultimately come from the same source
doesn't matter. It should, though, be advisable to not include the
sha246sum.exe on the mirrors, and only serve the file over http over ssl.

-- Jeroen

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-24-2009, 05:06 PM
Todd Zullinger
 
Default Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

Jesse Keating wrote:
> Well, if you have to use a tool from the project, to verify other
> bits from the project, the verification just became a lot less
> trusted. If you don't trust the bits you got from the project, why
> would you trust the tool the project gives you to verify the bits?
> "Here use this tool to verify our bits. Trust us, we swear!"

At some point, people need to bootstrap. The situation now is that
there isn't a well trusted tool on Windows that we can point users to
for verifying the *-CHECKSUM files (if you know differently, please
let me know). I'd like to improve that by providing a sha256sum.exe
that we can provide source code for, just as any decent cryptographic
tool should have.

I also think it's important to keep in mind that the use for the
sha256sum.exe is to verify that the bits they downloaded are intact,
not that they have not been altered. To verify authenticity, checking
the PGP signature on the *-CHECKSUM file is required. We explain how
to do both on https://fedoraproject.org/verify. Many users,
especially Windows users, only care about verifying the data's
integrity.

I believe that providing a sha256sum.exe via https://fp.o/ is surely
an improvement over "Download the .iso and hope it works or check it
with some third-party checksum tool that we can't even hope to
verify."

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
You will rue this day! Well, go on! Start ruing!
-- Stewie Griffin

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-24-2009, 05:08 PM
Todd Zullinger
 
Default Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

Jeroen van Meeuwen wrote:
> The goal is, of course, to verify the .iso against what is listed as
> it's sha256sum. Whether the tools ultimately come from the same
> source doesn't matter. It should, though, be advisable to not
> include the sha246sum.exe on the mirrors, and only serve the file
> over http over ssl.

Indeed, that's the plan. It would be served up via SSL, just as the
GPG keys and *-CHECKSUM files are currently. That way, if someone
comes to https://fedoraproject.org/verify, they at least have our SSL
certificate as a starting point for trust.

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Chemistry is applied theology.
-- Augustus Owsley Stanley

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-24-2009, 05:13 PM
Jesse Keating
 
Default Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

On Tue, 2009-11-24 at 13:06 -0500, Todd Zullinger wrote:
> I believe that providing a sha256sum.exe via https://fp.o/ is surely
> an improvement over "Download the .iso and hope it works or check it
> with some third-party checksum tool that we can't even hope to
> verify."

I agree, I just wanted to point out the catch-22.

--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-24-2009, 05:23 PM
Todd Zullinger
 
Default Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

Jesse Keating wrote:
> I agree, I just wanted to point out the catch-22.

Heh. I'm sorry if I came off a bit defensive.

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
The most overlooked advantage to owning a computer is that if they
foul up, there's no law against whacking them around a little.
-- Eric Porterfield

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-24-2009, 08:57 PM
Allen Kistler
 
Default Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

Jesse Keating wrote:
> Well, if you have to use a tool from the project, to verify other bits
> from the project, the verification just became a lot less trusted. If
> you don't trust the bits you got from the project, why would you trust
> the tool the project gives you to verify the bits? "Here use this tool
> to verify our bits. Trust us, we swear!"

I have the same opinion of signing the page with the hashes. The pages
that list the hashes for F12 are:

https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM

They are PGP-signed using *self-signed* keys listed in:

https://fedoraproject.org/static/fedora.gpg

One web page is signed using keys on another web page. So someone

1. Downloads the ISOs
2. Checks the hash vs. the web page
3. Checks the signature on the web page vs. a key on another web page
4. Cannot check the key

Unless you want people to:

4. Check the key vs. the one on the ISOs

which gets circular.

If we don't trust the page which has the hashes, why do we trust the
page which has the keys more? If someone can alter the ISOs and then
alter the published hashes to hide their tracks, why not alter the
published keys, as well? Ultimately I'm wondering what problem we're
solving by signing the web page in the first place.

Sign the hash page with a key which descends from a verifiable, trusted
root (even a key signed by the release manager would be better than
self-signed), or don't sign the page. I lean toward not signing, and
IRL I'm a paranoid security guy.

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-24-2009, 09:27 PM
Todd Zullinger
 
Default Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

Allen Kistler wrote:
> I have the same opinion of signing the page with the hashes. The pages
> that list the hashes for F12 are:
>
> https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
> https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
>
> They are PGP-signed using *self-signed* keys listed in:
>
> https://fedoraproject.org/static/fedora.gpg
>
> One web page is signed using keys on another web page. So someone
>
> 1. Downloads the ISOs
> 2. Checks the hash vs. the web page
> 3. Checks the signature on the web page vs. a key on another web page
> 4. Cannot check the key
>
> Unless you want people to:
>
> 4. Check the key vs. the one on the ISOs
>
> which gets circular.
>
> If we don't trust the page which has the hashes, why do we trust the
> page which has the keys more? If someone can alter the ISOs and
> then alter the published hashes to hide their tracks, why not alter
> the published keys, as well? Ultimately I'm wondering what problem
> we're solving by signing the web page in the first place.
>
> Sign the hash page with a key which descends from a verifiable,
> trusted root (even a key signed by the release manager would be
> better than self-signed), or don't sign the page. I lean toward not
> signing, and IRL I'm a paranoid security guy.

To be fair, the *-CHECKSUM files were only added to
https://fedoraproject.org/static/checksums/ recently (F-11). And they
are still widely available via mirrors and bit torrent. The GPG
signatures are quite useful for anyone downloading the CHECKSUM files
by those methods.

I don't mind that the GPG keys are role keys and are not signed by
(m)any other keys (though Jesse has signed some of them in the past).
Using SSL to get the keys seems reasonable to me. All trust has to
start somewhere.

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Some of the narrowest minds are found in the fattest heads.
-- Anonymous

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-25-2009, 02:32 AM
Bruno Wolff III
 
Default Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows

On Tue, Nov 24, 2009 at 10:33:16 -0500,
Todd Zullinger <tmz@pobox.com> wrote:
>
> What I'm here for is to gather ideas for how to properly go about
> building the mingw32-sha256sum and keeping it around so that when I
> extract the sha256sum.exe and upload it to fedoraproject.org we will
> have the koji built rpm to compare the binary against. Otherwise, the
> whole process falls back to "Trust that Todd didn't trojan the
> executable." And while I'd be flattered if folks had that much trust
> in me, I think it would be unwise to encourage or expect.

I was thinking about what the gpl requirements are for publishing
executables built with mingw are for another project that might be
set up on fedorahosted. Since mingw stuff is likely to include staticly
linked libraries, I think you need to have pointers to the sources for
the versions of all of the included libraries.

So while I haven't asked someone about this before, I was thinking that
I would probably need to determine the libraries that got linked in and
then note the versions that were used to do the build and include links
into koji for all of the involved src rpms prominently on the download
page.

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 07:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org