Unable to validate software images...

Moderators: odroid, mdrjr

Unable to validate software images...

Unread postby jrzagar » Fri Jul 13, 2018 4:15 am

Especially with all the recent news about compromised linux distributions (Arch, Gentoo, etc). I'm surprised to see that the md5sum files for your OS images don't have a gpg signature on them...

In the event someone compromises your mirror, having a gpg signature on the md5sum file means that you can
(a) detect a corrupted image file, and
(b) can detect an altered md5sum file

As things stand right now, anyone who manages to compromise your files can also fake the md5sum file as well. Here's an example:

I've had a PGP key published on pgp.mit.edu since 2003 <jrzagar@cactus.org>... I generated a temporary file by calculating md5 checksums on some files in /etc
Code: Select all
md5sum /etc/* 2>/dev/null | head -n 20 > temp


and then I "signed" it by
Code: Select all
gpg -u jrzagar@cactus.org --clearsign temp

This created a temp.asc file I've included below...


Code: Select all
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

42d13304ed2e9e5b60b74d6ed29b3729  /etc/fonts/conf.d/README
2da04c1a4d924c13d23452675ef36c9a  /etc/fonts/conf.d/25-no-bitmap-fedora.conf
751a14ccc37c9ecf41a419e0ba3f142b  /etc/fonts/fonts.conf
7fcaf231c722b766221e2f19f01e411f  /etc/cups/client.conf
754c4babdbce811599abe3e31c5c118b  /etc/cups/paps.convs
2326a8af1e112676d55245bc5eb459ca  /etc/cups/snmp.conf
7835deb34a124e28daf8e7e85ddea7e7  /etc/cups/client.conf,v
5733ff6d5fcdbb427cd9f0100e64a416  /etc/cups/cups-browsed.conf
d41d8cd98f00b204e9800998ecf8427e  /etc/cups/lpoptions
d41d8cd98f00b204e9800998ecf8427e  /etc/subgid
d0709c38348ee6120ca9248543abf135  /etc/yp.conf.rpmnew
7137bdf40e8d58c87ac7e3bba503767f  /etc/iproute2/rt_realms
fd070252e6e9996bd04d9d59e4ce21eb  /etc/iproute2/bpf_pinning

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAltHezYACgkQrJr8p/YoerEamQCfae9N9VQHuGd1AnX+qvXgT6uF
8NkAoKMVrY0WeY1RKvvADQXgqgKlFMId
=0r9D
-----END PGP SIGNATURE-----


With GPG, you can verify the files authenticity quite easily, so you know the file was created by me.
Code: Select all
[zagar@bofh ~]$ gpg --verify temp.asc
gpg: Signature made Thu 12 Jul 2018 11:00:54 AM CDT using DSA key ID F6287AB1
gpg: Good signature from "Randy Zagar <jrzagar@cactus.org>"


If someone tampers with my files, they won't have the same md5 checksum. If someone tampers with my files *and* modifies the md5sum file, it'll fail the 'gpg --verify'. If someone manages to compromise my gpg key, like they did for Fedora back in the day, well, you just revoke your old key and create a new one...

All you need is to create an email alias odroid-security@odroid.com, create a PGP(GPG) key using that email address, and publish it on MIT's pgp key server. Then you can sign files just as I've done above. And it wouldn't hurt for you to document your PGP key on your website so we know your key wasn't created by some faker in Latveria.
jrzagar
 
Posts: 2
Joined: Fri Jul 13, 2018 12:36 am
languages_spoken: english
ODROIDs: ODROID XU4

Re: Unable to validate software images...

Unread postby rooted » Fri Jul 13, 2018 6:33 am

Not a bad idea, I'm always for better security
User avatar
rooted
 
Posts: 5700
Joined: Fri Dec 19, 2014 9:12 am
Location: Gulf of Mexico, US
languages_spoken: english
ODROIDs: C1, C1+, C2
XU3 Lite, XU4
N1
VU7+
HiFi Shield 2
Smart Power (original)

Re: Unable to validate software images...

Unread postby elatllat » Fri Jul 13, 2018 7:15 am

Someone could still inject garbage before the signing, mainlining the out-of-tree stuff, with predictable builds would help, but that's work.
elatllat
 
Posts: 1068
Joined: Tue Sep 01, 2015 8:54 am
languages_spoken: english
ODROIDs: XU4, N1

Re: Unable to validate software images...

Unread postby jrzagar » Tue Jul 17, 2018 6:31 am

True, but vendors/publishers generally do validation and signing on private resources that hostile third-parties can't easily access. It's no different than how you'd (responsibly!) operate a Certificate Authority, with your RootCA certificates and signing keys not reachable by online hackers. For the very limited scope of signing the md5sums file, the person who's responsible for maintaining the images should sign *before* it's posted to the public site.

I haven't even wanted to mention that MD5 checksums aren't considered safe anymore... which is why RedHat et. al. started pushing SHA256 checksums back in 2014.
jrzagar
 
Posts: 2
Joined: Fri Jul 13, 2018 12:36 am
languages_spoken: english
ODROIDs: ODROID XU4


Return to General Chat

Who is online

Users browsing this forum: No registered users and 0 guests