You are not logged in.

#1 2022-06-04 17:58:03

volker_weissmann
Member
Registered: 2020-01-05
Posts: 71

[SOLVED] Understanding package signing threat model

If a PKGBUILD contains the line

validpgpkeys=(123456)

and this key is not in your keyring, makepkg will fail with

==> Verifying source file signatures with gpg...
    file ... FAILED (unknown public key 123456)

But I don't understand the thread model here. Why does makepkg check if the key 123456 is in my keyring? If I don't trust the PKGBUILD file, running makepkg is already game over and if I do trust the PKGBUILD file, I know that 123456 is the correct PGP key.

I understand why it checks the signature at all - if I trust the PKGBUILD file, but not the server it downloads code from (or the server does not use TLS) I should not use --skippgpcheck. But why is there no --use-pgp-key-from-validpgpkeys-even-if-its-not-in-keyring flag?

Last edited by volker_weissmann (2022-06-04 23:39:58)

Offline

#2 2022-06-04 18:10:16

dogknowsnx
Guest

Re: [SOLVED] Understanding package signing threat model

#3 2022-06-04 18:19:32

volker_weissmann
Member
Registered: 2020-01-05
Posts: 71

Re: [SOLVED] Understanding package signing threat model

I  read that. I know what makepkg does, I just do not understand why it does that.

Offline

#4 2022-06-04 18:29:37

progandy
Member
Registered: 2012-05-17
Posts: 5,319

Re: [SOLVED] Understanding package signing threat model

You need the public key to verify a signature. makepkg does not automatically fetch that key, but you could set up gpg to do that. (See auto-key-retrieve


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |

Offline

#5 2022-06-04 18:35:38

volker_weissmann
Member
Registered: 2020-01-05
Posts: 71

Re: [SOLVED] Understanding package signing threat model

progandy wrote:

You need the public key to verify a signature. makepkg does not automatically fetch that key, but you could set up gpg to do that. (See auto-key-retrieve

Is there a reason why makepkg does not automatically fetch that key?

Offline

#6 2022-06-04 18:43:43

dogknowsnx
Guest

Re: [SOLVED] Understanding package signing threat model

volker_weissmann wrote:

and this key is not in your keyring, makepkg will fail

Thankfully it does so. If you already trust the source, simply edit the PKGBUILD instead of asking makepkg to undermine its own safety measures...

Last edited by dogknowsnx (2022-06-04 18:46:25)

#7 2022-06-04 19:00:34

volker_weissmann
Member
Registered: 2020-01-05
Posts: 71

Re: [SOLVED] Understanding package signing threat model

dogknowsnx wrote:
volker_weissmann wrote:

and this key is not in your keyring, makepkg will fail

Thankfully it does so. If you already trust the source, simply edit the PKGBUILD instead of asking makepkg to undermine its own safety measures...

What do you mean with "source"? Are you talking about the PKGBUILD? If you do not trust PKGBUILD, running makepkg is game over either way.
Why would you trust the PKGBUILD but not the key inside the PKGBUILD?

Offline

#8 2022-06-04 19:11:41

dogknowsnx
Guest

Re: [SOLVED] Understanding package signing threat model

I think we're talking past each other. You're suggesting a picklock-flag for makepkg, and my question is why you would possibly want that in its code...

Last edited by dogknowsnx (2022-06-04 19:16:10)

#9 2022-06-04 19:39:33

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 15,186

Re: [SOLVED] Understanding package signing threat model

The pgp key is used to validate files in source= array that are signed with that key.

This vastly reduces the chance someone modified, replaced or hacked those files.


The key is not added automagickally because you're supposed to verify whom the key is from and whether they can be trusted to sign that particular file.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#10 2022-06-04 19:43:51

volker_weissmann
Member
Registered: 2020-01-05
Posts: 71

Re: [SOLVED] Understanding package signing threat model

Lone_Wolf wrote:

The pgp key is used to validate files in source= array that are signed with that key.

This vastly reduces the chance someone modified, replaced or hacked those files.

I get that part.

Lone_Wolf wrote:

The key is not added automagickally because you're supposed to verify whom the key is from and whether they can be trusted to sign that particular file.

But we trust the PKGBUILD file. Otherwise we would not run makepkg. And the PKGBUILD file says that the guy with the key 123456 can be trusted.

Offline

#11 2022-06-04 19:51:43

dogknowsnx
Guest

Re: [SOLVED] Understanding package signing threat model

volker_weissmann wrote:

But we trust the PKGBUILD file. Otherwise we would not run makepkg. And the PKGBUILD file says that the guy with the key 123456 can be trusted.

You trust the PKGBUILD - makepkg has got no AI (hence "automagickally") but has to resort to a keyring...

EDIT: I'm afraid '--skippgpcheck' is the flag you're looking for (I've never used it before, tbh)...

Last edited by dogknowsnx (2022-06-04 21:13:46)

#12 2022-06-04 21:43:41

volker_weissmann
Member
Registered: 2020-01-05
Posts: 71

Re: [SOLVED] Understanding package signing threat model

dogknowsnx wrote:
volker_weissmann wrote:

But we trust the PKGBUILD file. Otherwise we would not run makepkg. And the PKGBUILD file says that the guy with the key 123456 can be trusted.

You trust the PKGBUILD - makepkg has got no AI (hence "automagickally") but has to resort to a keyring...

makepkg is literally executing parts of the PKGBUILD file as shell comands. makepkg trusts the PKGBUILD file.

dogknowsnx wrote:

EDIT: I'm afraid '--skippgpcheck' is the flag you're looking for (I've never used it before, tbh)...

Again, what if I trust the key, but not the server? Then, https://wiki.archlinux.org/title/GPG#Use_a_keyserver is more secure than --skippgpcheck

Offline

#13 2022-06-04 21:52:52

dogknowsnx
Guest

Re: [SOLVED] Understanding package signing threat model

volker_weissmann wrote:

makepkg is literally executing parts of the PKGBUILD file as shell comands. makepkg trusts the PKGBUILD file.

That's generalizing (PKGBUILD is a shell script after all)

#14 2022-06-04 22:57:38

seth
Member
From: Won't reply 2 private help req
Registered: 2012-09-03
Posts: 76,582

Re: [SOLVED] Understanding package signing threat model

Why does makepkg check if the key 123456 is in my keyring?

Because w/o the key, the signature cannot be verified - "123456" isn't the key but some ID to find it by.

makepkg trusts the PKGBUILD file.

https://wiki.archlinux.org/title/Arch_U … g_packages - see step #2
*You* are required to vet the PKGBUILD, that includes the signature keys.
One might argue that vetting the key does not strictly imply to have added them to your keyring, but in reality, not having added them means that you didn't inspect them and most likely didn't look at the PKGBUILD either.

--use-pgp-key-from-validpgpkeys-even-if-its-not-in-keyring

Is there a reason why makepkg does not automatically fetch that key?

The link progandy posted has a tip and that tip shows how to activate auto-key-retrieve and immeditaly links (more or less) https://man.archlinux.org/man/gpg.1#no- … y-retrieve to explain why that's not the default gpg behavior.

The signatures are tested in /usr/share/makepkg/integrity/verify_signature.sh and you could add the option there if you for some reason don't want it globally but think for makepkg it's ok.
If you want to know/debate whether makepkg should forward that option, this forum is the wrong platform => https://archlinux.org/pacman/#_bugs

Offline

#15 2022-06-04 23:39:36

volker_weissmann
Member
Registered: 2020-01-05
Posts: 71

Re: [SOLVED] Understanding package signing threat model

seth wrote:

Why does makepkg check if the key 123456 is in my keyring?

Because w/o the key, the signature cannot be verified - "123456" isn't the key but some ID to find it by.

makepkg trusts the PKGBUILD file.

https://wiki.archlinux.org/title/Arch_U … g_packages - see step #2
*You* are required to vet the PKGBUILD, that includes the signature keys.
One might argue that vetting the key does not strictly imply to have added them to your keyring, but in reality, not having added them means that you didn't inspect them and most likely didn't look at the PKGBUILD either.

--use-pgp-key-from-validpgpkeys-even-if-its-not-in-keyring

Is there a reason why makepkg does not automatically fetch that key?

The link progandy posted has a tip and that tip shows how to activate auto-key-retrieve and immeditaly links (more or less) https://man.archlinux.org/man/gpg.1#no- … y-retrieve to explain why that's not the default gpg behavior.

The signatures are tested in /usr/share/makepkg/integrity/verify_signature.sh and you could add the option there if you for some reason don't want it globally but think for makepkg it's ok.
If you want to know/debate whether makepkg should forward that option, this forum is the wrong platform => https://archlinux.org/pacman/#_bugs

Ok, thanks. IMHO that is a slight missdesign.  If the public key would be in the .sig file, makepkg could verify the signature of the public key and achieve the same amount of security.

Offline

#16 2022-06-04 23:51:30

loqs
Member
Registered: 2014-03-06
Posts: 18,967

Re: [SOLVED] Understanding package signing threat model

volker_weissmann wrote:

Ok, thanks. IMHO that is a slight missdesign.  If the public key would be in the .sig file, makepkg could verify the signature of the public key and achieve the same amount of security.

https://lists.archlinux.org/archives/li … LHZUJTTG6/

Offline

Board footer

Powered by FluxBB