Opened 5 years ago

Closed 3 years ago

#12871 closed defect (invalid)

RPM repo data is not signed and documentation misses repo_gpgcheck

Reported by: cypherpunks Owned by: hiviah
Priority: Medium Milestone:
Component: Core Tor/RPM packaging Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The torproject RPM repos do not provide signed repomd.xml files (repomd.xml.asc) this would allow attacker to 'hide' updates [1].

From the yum.conf manpage [2]

repo_gpgcheck Either '1' or '0'. This tells yum whether or not it should perform a GPG signature check on the repodata. When this is set in the [main] section it sets the default for all repositories. The default is '0'.

Once you provide repomd.xml.asc files please update [3].

[1] https://lwn.net/Articles/327847/
[2] http://linux.die.net/man/5/yum.conf
[3] https://www.torproject.org/docs/rpms.html.en

Child Tickets

Change History (13)

comment:1 Changed 5 years ago by arma

Owner: changed from marlowe to hiviah
Status: newassigned

comment:2 Changed 5 years ago by hiviah

I didn't know this option existed as it seems not to be used for most common repos. I'll update my scripts to generate the signature.

comment:3 Changed 5 years ago by cypherpunks

Just in case you are interested in knowing how official Fedora repos handle that issue:
Fedora repos work around that problem with HTTPS. They ship the hashes of repomd.xml via HTTPS and download it over HTTP without actually using repo_gpgcheck at all. So I would suggest that you replace "http" with "https" on
https://www.torproject.org/docs/rpms.html.en

thanks!

comment:4 Changed 5 years ago by hiviah

Repomd.xml files will be signed from now on (https://gitweb.torproject.org/user/hiviah/rpm-build-scripts.git) and current instance on servers is signed as well.

BTW I think that mirrorlists in various distros were over https, but most of the repomd.xml links and also direct download links were plain http.

comment:5 Changed 5 years ago by Sebastian

Is this implemented?

comment:6 Changed 5 years ago by hiviah

Yes, it is implemented, each repo has signed repomd.xml.asc file.

comment:7 Changed 5 years ago by cypherpunks

Thank you for providing signed repomd.xml files.

Please do not forget to update
https://www.torproject.org/docs/rpms.html.en

with
repo_gpgcheck=1

comment:8 Changed 5 years ago by hiviah

Since #12897 is implemented now, it's even better than using repo_gpgcheck. Somebody already updated https://www.torproject.org/docs/rpms.html.en to use https links.

(repo_gpgcheck has one nasty usability issue - it doesn't show key's fingerprint when it asks user to accept it, even if the key was imported before with 'rpm --import')

comment:9 Changed 5 years ago by hiviah

Citing from https://lists.torproject.org/pipermail/tor-dev/2014-October/007661.html :

It is my opinion that even in the case of HTTPS GPG signatures provide a
security improvement since (I hope) the private GPG key used to sign the
repo is less exposed than the wildcard certificate for *.tpo.

The RPM packages are already GPG-signed, the signatures repomd.xml.asc are already there and can be used. On top of it the repomd.xml* files are transmitted over TLS. If an attacker just wanted DOS by denying update, all he has to do is TCP RST (why bother with forging TLS?).

Could you elaborate on your issue regarding repo_gpgcheck not showing
fingerprints? (It does show the gpg key fingerprint on a fc20 system
after adding repo_gpgcheck=1 and running 'yum update' [3]).

This is the case for EL6 at least - once you add repo_gpgcheck=1, it will only ask if you want to trust key given in gpgkey parameter without showing fingerprint (with gpgcheck parameter yum does ask if fingerprint matches, though). I don't feel comfortable telling users to accept an arbitrary key. It would be easier if I knew which version of yum fixed this so it could be added into documentation.

comment:10 in reply to:  9 Changed 5 years ago by cypherpunks

Replying to hiviah:

Citing from https://lists.torproject.org/pipermail/tor-dev/2014-October/007661.html :

It is my opinion that even in the case of HTTPS GPG signatures provide a
security improvement since (I hope) the private GPG key used to sign the
repo is less exposed than the wildcard certificate for *.tpo.

The RPM packages are already GPG-signed, the signatures repomd.xml.asc are already there and can be used.

Yes, *can* be used, but documentation at
https://www.torproject.org/docs/rpms.html.en
does not enable it - hence most won't use it.
(I will file a bug against yum in EL6 not showing GPG fingerprints.)

On top of it the repomd.xml* files are transmitted over TLS. If an attacker just wanted DOS by denying update, all he has to do is TCP RST (why bother with forging TLS?).

I guess yum saying "Error: Unable to connect!" is less of a silent attack than yum saying "No packages marked for update".

To summarize:
I believe HTTPS (with CA pinning) + repo_gpgcheck=1 is the best we can do to protect against manipulation and should be the goal.

comment:11 Changed 5 years ago by hiviah

I've been looking into the repo_gpgcheck how it behaves and stumbled upon DNF+repo_gpgcheck (DNF is the new Fedora's package manager).

It seems to me that it'd be best to mention the repo_gpgcheck option on the rpms page with its known quirks and let user to decide whether to enable it.

comment:12 Changed 4 years ago by hiviah

The DNF bug is fixed in Fedora, so I added it to the Tor RPM page.

comment:13 Changed 3 years ago by cypherpunks

Resolution: invalid
Severity: Normal
Status: assignedclosed

The torproject does not longer provide RPMs.

Note: See TracTickets for help on using tickets.