You are not logged in.

#1 2014-11-29 13:12:29

andreicristianpetcu
Member
Registered: 2013-11-30
Posts: 20

Are AUR packages signed? How do I check the signature if they are?

Hi,

Are AUR packages signed? How do I check the signature if they are?

Thank you!

Offline

#2 2014-11-29 13:18:00

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,397
Website

Re: Are AUR packages signed? How do I check the signature if they are?

Since you build them, you can sign them yourself.  If you're asking about the security of the PKGBUILD files and associated files in the AUR:

https://aur.archlinux.org wrote:

DISCLAIMER
Unsupported packages are user produced content. Any use of the provided files is at your own risk.

So yes, someone could inset malicious code into the packages either in the PKGBUILD (not likely) or in the upstream code itself (more likely).  Some packages for example don't build anything but do package precompiled binaries.

Last edited by graysky (2014-11-29 13:19:02)


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#3 2014-11-29 13:25:50

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Are AUR packages signed? How do I check the signature if they are?

AUR doesn't host binary packages, just text files which you can and should read before building.
What are you trying to accomplish?

Offline

#4 2014-11-29 15:05:39

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,163
Website

Re: Are AUR packages signed? How do I check the signature if they are?

That said, there are separate repositories which host pre-built packages for those in the AUR. Some are signed, others are not.

Last edited by clfarron4 (2014-11-29 15:06:04)


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#5 2014-11-29 17:04:21

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 18,639

Re: Are AUR packages signed? How do I check the signature if they are?

Also, the PKGBUILD, which you can and should audit, does include the cryptographic hashes of all of the source files that the PKGBUILD causes to be be loaded from the Internet.  This allows the PKGBUILD to determine that the sources being obtained are indeed the ones intended by the author and auditor of the PKGBUILD.

Last edited by ewaller (2014-11-29 17:04:47)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#6 2014-11-29 17:42:05

andreicristianpetcu
Member
Registered: 2013-11-30
Posts: 20

Re: Are AUR packages signed? How do I check the signature if they are?

Thank you for your answers! Some Aur packages basically wget some tar.gz and uncompress it and I wanted to know if there is a way to test if this is the same archive that I wanted to install. My question started from a discussion regarding operating systems security. A guy at http://defcamp.ro/ managed to inject some evil code in a app update manager on WIndows (I think it was in Samsung Keys). I told him that this cannot be done on most packages on most GNU/Linux distros. Since I am a Arch user I wanted to find out if there is a way (except for reading the pkgbuild) from which I can check the validity of the package. From what I know the files from the other repos are signed (correct me if I'm wrong).

Offline

#7 2014-11-29 18:07:20

Awebb
Member
Registered: 2010-05-06
Posts: 5,986

Re: Are AUR packages signed? How do I check the signature if they are?

Uh, I never noticed that there are no checksums for the AUR tarballs!

Offline

#8 2014-11-29 19:53:20

falconindy
Developer
From: New York, USA
Registered: 2009-10-22
Posts: 4,111
Website

Re: Are AUR packages signed? How do I check the signature if they are?

andreicristianpetcu wrote:

Thank you for your answers! Some Aur packages basically wget some tar.gz and uncompress it and I wanted to know if there is a way to test if this is the same archive that I wanted to install.

Archives downloaded by PKGBUILDs are never the same as the archive you want to install. Are you referring to PKGBUILDs which just repackage .deb or .rpm archives? As mentioned, there's checksums (typically of zero benefit to security), and sometimes GPG signatures provided by upstream. But, this is only a part of the process. The attack surface is wider than just the source tarball and the PKGBUILD. Consider that you don't even need a PKGBUILD to create a package which pacman understands.

andreicristianpetcu wrote:

I told him that this cannot be done on most packages on most GNU/Linux distros.

No, it absolutely can. All operating systems are prone to attack by social engineering and can fall victim to lax system administration. The "Linux doesn't get virii" mantra is a falsehood propagated by people relying on statistics rather than actual operating system features and security practices.

andreicristianpetcu wrote:

Since I am a Arch user I wanted to find out if there is a way (except for reading the pkgbuild) from which I can check the validity of the package.

Given an arbitrary archive foo-1-1-x86_64.pkg.tar.xz, there is absolutely no way to determine what PKGBUILD was used to build it. This is a key reason why signing binary packages in the repositories is important!

andreicristianpetcu wrote:

From what I know the files from the other repos are signed (correct me if I'm wrong).

Right, in order to assert provenance of a package. If the signature for a package is valid, you can assume that you have a copy of the package which a developer or TU built.

Offline

#9 2014-11-30 07:51:06

Awebb
Member
Registered: 2010-05-06
Posts: 5,986

Re: Are AUR packages signed? How do I check the signature if they are?

So, how do I know the tarball I have is the tarball I wanted to download from the AUR?

Offline

#10 2014-11-30 08:03:59

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Are AUR packages signed? How do I check the signature if they are?

Check the contents of what you downloaded.

Offline

#11 2014-11-30 08:22:06

smirky
Member
From: Bulgaria
Registered: 2013-02-23
Posts: 273
Website

Re: Are AUR packages signed? How do I check the signature if they are?

Awebb wrote:

So, how do I know the tarball I have is the tarball I wanted to download from the AUR?

Let me put it this way. This is a Linux distribution with somewhat great reputation and as it happens, it uses https for it's website. Therefore you can rely on the fact that if you download something from this website and the TLS certificate is correct and confirmed, then there's a 99.99...% chance that you downloaded the correct tarball. After the download itself, it's up to you to inspect the contents of the PKGBUILD and it's attachments (if any) and confirm for yourself that they would do exactly what they are suppose to do. Signatures are just to show who's in the keyring for trust and who's not. In AUR, there's a lot of signatures that aren't validated and skipped, but you are warned about AUR packages that they are not officially supported.


Personal spot  ::  https://www.smirky.net/  ::  Try not to get lost!

Offline

#12 2014-11-30 12:10:01

Awebb
Member
Registered: 2010-05-06
Posts: 5,986

Re: Are AUR packages signed? How do I check the signature if they are?

HTTPS, yes, that should be sufficient. Okay, next scenario: I have downloaded this file an hour ago and want to learn more about its integrity.

Okay, I'll cut the crap: I'm just puzzled, that there are no checksums for the tarballs. That's rather unusual in the Linux world. I usually have to feel guilty, because I don't check them most of the time I download an image, but not here. Should we? Do we need? Discuss -> bugreport or don't worry -> be happy?

Offline

#13 2014-11-30 12:23:35

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Are AUR packages signed? How do I check the signature if they are?

Checksums / cryptographical signing can tell you if the files are the same, but you still need to check what that PKGBUILD and other files do before building the package.

Offline

#14 2014-11-30 12:51:30

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 27,053
Website

Re: Are AUR packages signed? How do I check the signature if they are?

A checksum of the tarball wouldn't do any good at all.  That could verify that what you downloaded was what the submitter uploaded, that's it.  The problem is that would only check for transmission errors: did it get mangled en route from the AUR server to your computer.  Certainly this might seem worth checking - but if this happened, the mangling would be random.  A random mangling of bits in the tarball binary data would not lead to a tarball that could be extracted, built by makepkg, installed, and have some malicious code in it.  Most likely it would not successfully be extracted.  Or if it was, it would likely not produce a valid PKGBUILD.  Getting functional malicious code from a random bit mangling would be about as likely as getting an X-Men-style super hero from a random genetic mutation rather than a non-viable embryo.

One would not worry nearly as much about this random bit mutation due to a transmission error as they would the intentional and deliberate insertion of malicious code.  But anyone who had access to change the tarball that you would download in such a way to insert this code could also change the checksum.  The checksum can only verify that what you got was what some random person on the internet wanted you to get.  That provides no protection against malicious intent.

The same could be said, of course, about signed binary packages in the repos -  that is if one just adds any random key they find to their list of trusted keys.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#15 2014-11-30 23:25:00

vorbote
Member
From: 8375 ft closer to the stars
Registered: 2011-02-07
Posts: 38
Website

Re: Are AUR packages signed? How do I check the signature if they are?

And there are other considerations. AUR's design is flawed. How do I, as a packager, sign my PGGBUILD so that you know it hasn't been tampered with between my hard drive, the AUR and you? To include the signature in the upload tarball I need to include it in the PKGBUILD's file array and to do that I should add a cryptohash in the checksums array, that modifies the PKGBUILD and invalidates the signature. A classic catch-22.

Besides, what reason do you have to trust the PGP keys I use to sign my AUR PKGBUILDs if you have to download them from a server in the internet that *doesn't use* TLS for data connection and delivery (gnupgp's fault[2]), and the other 14 reasons you should not use PGP[2]? Hell!, gnupg is bizantine and "smart" people may not get it[1].

You cannot be too cautious and should follow all the advice given above this post. I agree that there are people that shouldn't be allowed to write a PKGBUILD, much less be allowed to upload it to the AUR but, you gets what you pays for. When you find an AUR PKGBUILD that smells bad, contact the maintainer. If he or she doesn't listen or simply don't give a squat, ask for an orphaning and take over to fix it yourself or for a deletion using the "File request" option.

[1] https://www.mailpile.is/blog/2014-10-07 … GnuPG.html
[2] http://secushare.org/PGP


I break things and put them back together for fun and sometimes profit, because it is the only way to learn.

Offline

#16 2014-12-01 10:58:22

Awebb
Member
Registered: 2010-05-06
Posts: 5,986

Re: Are AUR packages signed? How do I check the signature if they are?

We can now conclude, that AUR package security is based on a) HTTPS trustworthiness and b) manual inspection of ALL the files in the tarball. We can also assume, that nobody in the chain is really interested in changing that, because the unofficial nature of the AUR should create a state of mind that enforces responsibility and caution. This is pretty close to the reason, why no AUR helper will find its way into the default repositories.

My curiosity has been satisfied, I would be fine with marking this thread as solved.

Offline

#17 2014-12-01 12:58:33

progandy
Member
Registered: 2012-05-17
Posts: 5,004

Re: Are AUR packages signed? How do I check the signature if they are?

vorbote wrote:

And there are other considerations. AUR's design is flawed. How do I, as a packager, sign my PGGBUILD so that you know it hasn't been tampered with between my hard drive, the AUR and you? To include the signature in the upload tarball I need to include it in the PKGBUILD's file array and to do that I should add a cryptohash in the checksums array, that modifies the PKGBUILD and invalidates the signature. A classic catch-22.

A PKGBUILD signature is not part of the established procedure, but can be easily added. There is no catch-22. You don't need a crypto-hash for the signature, SKIP is perfectly fine for that. You don't have to verify the integrity of the signature, that happens automatically during the PKGBUILD verification. You could also manually add the signature file with e.g. bsdtar just before you upload the archive (mkaurball does something similar for .AURINFO)
A signature for the whole archive is also possible, but you'll have to use a separate distribution channel (e.g. you own website, github, ...) to provide it to the users.


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#18 2014-12-01 13:38:34

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 27,053
Website

Re: Are AUR packages signed? How do I check the signature if they are?

Also, to reiterate my points above, a signed AUR tarball would be absolutely meaningless.  As is, the security threat is that the AUR tarballs come from a collection of random people on the internet.  What's the difference between a tarball that comes from a random person on the internet, and another one that I can verify comes from a random person on the internet.

Signing only verifies a source [1].  It does nothing to lend credibility to that source.  And anyone who thinks it does - e.g., anyone who thinks one could advertise "my packages are signed" as if it was some benefit - is just not thinking through what the actual security threats are.

[1] a lot like a guarantee on a box: https://www.youtube.com/watch?v=a5dpBpaFiMo


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#19 2014-12-01 16:06:21

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 18,639

Re: Are AUR packages signed? How do I check the signature if they are?

Interesting point, Trilby.   But there is some utility to knowing who the random person is -- by attaching a verifiable name to a file, we know who to blame.
I would hope that by putting one's name on something would be reason to create something that is neither low quality or (worse) something belligerent.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#20 2014-12-01 16:18:38

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 27,053
Website

Re: Are AUR packages signed? How do I check the signature if they are?

But our (user/account) names are already on them.  Stray passers-by cannot submit tarballs to the AUR server - they must have an account.  This provides as reliable of an indicator of identity as does a digital signature.  That's why I argue the signature for AUR tarballs would only prevent data corruption in transit (from packager to aur, and/or from aur to our computers), they provide no security against malevolent intent.

If you check the AUR website for packages submitted by Trilby, those are mine; I submitted them.  My digital signature would not provide any further assurance of that.  Now whether or not you believe this Trilby character can be trusted not to intentionally damage your system is an entirely different question.  Putting my stamp on the box (a digital signature) shouldn't change that assessment in the slightest.  I could package a fork-bomb and digitally sign it ... the signature says nothing of the safety of what's in the signed bundle.

To be fair, the signature would provide protection against someone hacking my account and submitting things under my name.  But that'd be the only benefit.  And if this happens, it's not so likely that someone hacked the https aur server - getting access to my personal computer would be a much easier attack.  And if they had physical access to my computer there would be little stopping them from using my digital signature and/or publishing a new replacement public key on one of my websites.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#21 2014-12-01 17:34:29

vorbote
Member
From: 8375 ft closer to the stars
Registered: 2011-02-07
Posts: 38
Website

Re: Are AUR packages signed? How do I check the signature if they are?

progandy wrote:

A PKGBUILD signature is not part of the established procedure, but can be easily added. There is no catch-22. You don't need a crypto-hash for the signature, SKIP is perfectly fine for that. You don't have to verify the integrity of the signature, that happens automatically during the PKGBUILD verification. You could also manually add the signature file with e.g. bsdtar just before you upload the archive (mkaurball does something similar for .AURINFO)
A signature for the whole archive is also possible, but you'll have to use a separate distribution channel (e.g. you own website, github, ...) to provide it to the users.

Doing as you propose weakens the purpose of guaranteeing that the external signature itself is not tampered with in the AUR database in any way, which would be my first priority as the PKGBUILD upstream because I can't be sure that there is no adversary with priviledged access to the AUR data. Heck! You don't know if one of the Devs or TUs is not a three-letter agency mole.

So, no. I don't buy your arguments nor Trilby's. But as you both have a lot more posts than I in the forum, you are both obviously correct. End of discussion.

Last edited by vorbote (2014-12-01 17:35:01)


I break things and put them back together for fun and sometimes profit, because it is the only way to learn.

Offline

#22 2014-12-01 18:14:31

progandy
Member
Registered: 2012-05-17
Posts: 5,004

Re: Are AUR packages signed? How do I check the signature if they are?

vorbote wrote:

Doing as you propose weakens the purpose of guaranteeing that the external signature itself is not tampered with in the AUR database in any way, which would be my first priority as the PKGBUILD upstream because I can't be sure that there is no adversary with priviledged access to the AUR data. Heck!

If you have verified the public key, this is enough to detect a bad pkgbuild as well as a bad signature. There is no need for additional checksums. It seems you need to learn more about signatures. It is impossible to create a signature that signs its own hash.

Edit:

You don't know if one of the Devs or TUs is not a three-letter agency mole.

That is always a risk. You have to decide who to trust and how much effort you put into secure communications.

Last edited by progandy (2014-12-01 19:44:07)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#23 2014-12-01 19:12:56

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 18,639

Re: Are AUR packages signed? How do I check the signature if they are?

vorbote wrote:

...But as you both have a lot more posts than I in the forum, you are both obviously correct. End of discussion.

What got your panties in a bunch?  I saw nothing that looked like an attack, or that you were in someway wrong because of a lack of posts.
Was there a reason to take what had been a reasonable discussion and trash it by making the assertion that because someone has more posts, they must be correct?

Please keep this a technical discussion.

Last edited by ewaller (2014-12-01 19:30:29)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#24 2014-12-01 19:20:54

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 27,053
Website

Re: Are AUR packages signed? How do I check the signature if they are?

Indeed I have no idea why I was even included in that post - I wasn't replying to your points, vorbote.  As I read them, your points seem to fit your location well and may see the current AUR system as far more flawed than I would - but on the broad strokes of whether or not pgp signing would help the situation any, we seem to agree.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#25 2014-12-01 20:39:26

smirky
Member
From: Bulgaria
Registered: 2013-02-23
Posts: 273
Website

Re: Are AUR packages signed? How do I check the signature if they are?

Trilby wrote:

I could package a fork-bomb and digitally sign it ...

Amin to that big_smile


Personal spot  ::  https://www.smirky.net/  ::  Try not to get lost!

Offline

Board footer

Powered by FluxBB