From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 4A8F06DE0B72 for ; Fri, 15 Mar 2019 07:30:59 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -2.489 X-Spam-Level: X-Spam-Status: No, score=-2.489 tagged_above=-999 required=5 tests=[AWL=-0.188, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhlRrDzIhvhF for ; Fri, 15 Mar 2019 07:30:58 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de [195.135.220.15]) by arlo.cworth.org (Postfix) with ESMTPS id D03296DE0B64 for ; Fri, 15 Mar 2019 07:30:57 -0700 (PDT) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 49DC2AD81; Fri, 15 Mar 2019 14:30:56 +0000 (UTC) Subject: Re: [PATCH] build: sign tarball instead of sha256sum To: Daniel Kahn Gillmor , David Bremner , Carl Worth , notmuch@notmuchmail.org References: <87mun16gmm.fsf@wondoo.home.cworth.org> <20190213021703.18412-1-david@tethera.net> <87lg1kcqg8.fsf@tethera.net> <87ftrpgjdb.fsf@fifthhorseman.net> <3bbd5c2e-54b7-dbbd-6065-68ce2c2005fd@suse.de> <87tvg4wm2v.fsf@fifthhorseman.net> <87ftrobefn.fsf@tethera.net> <87o96cw8pb.fsf@fifthhorseman.net> From: Adam Majer Organization: SUSE Linux Message-ID: <8d74a186-ab58-ea1b-1c42-4112f617b1cb@suse.de> Date: Fri, 15 Mar 2019 15:30:56 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <87o96cw8pb.fsf@fifthhorseman.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 16 Mar 2019 06:19:39 -0700 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2019 14:30:59 -0000 On 3/15/19 2:47 PM, Daniel Kahn Gillmor wrote: > Do you know of any code that actually makes use of that defense? That > is, any code that says "fetch version X of package foo and its > cryptographic signatures; verify the signature over the tarball, and > also verify that it unpacks to a directory named foo-X/ before returning > success" ? That would be great if it's out there and i'm unaware of it. We do. For example, nodejs10, https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs10 The .spec file has (I added some comments here) Name: nodejs10 Version: 10.15.3 Source: https://nodejs.org/dist/v%{version}/node-v%{version}.tar.xz Source1: https://nodejs.org/dist/v%{version}/SHASUMS256.txt Source2: https://nodejs.org/dist/v%{version}/SHASUMS256.txt.sig Source3: nodejs.keyring The .sig is verified vs. nodejs.keyring on checkin. And for build, the %prep phase in start of the build has, # this checks the checksum echo "`grep node-v%{version}.tar.xz %{S:1} | head -n1 | cut -c1-64` %{S:0}" | sha256sum -c # this unpacks the tarball Source0 and changes to directory # node-v%{version} %setup -q -n node-v%{version} The build would break if directory is different name. The build would break if checksum is wrong, but that has explicit verification. And build would not even be attempted if *.sig wasn't signed by a key in the *.keyring file. Not only that, because the SourceX is a URL, distributions like Tumbleweed that accept lots of submissions, have automated bot that will download these files and compare them to what was submitted. If these differ, it will reject. This actually caught NodeJS project adding ARM binaries to their release after release and re-issuing the checksums. Not malicious, just annoying (for me :) - Adam