Opened 3 years ago
Last modified 3 months ago
#17331 new enhancement
Repository signature validation in pkgman via minisign
Reported by: | kallisti5 | Owned by: | nobody |
---|---|---|---|
Priority: | high | Milestone: | R1/beta6 |
Component: | Kits/Package Kit | Version: | R1/Development |
Keywords: | packages minisig security sprint | Cc: | |
Blocked By: | Blocking: | ||
Platform: | All |
Description
Haiku repositories already have https://jedisct1.github.io/minisign/ signature in place:
signing...
The repo file contains sha256 checksums of every hpkg within the repo.
We should check for the presence of a repo.minisig, and validate it against our known / trusted public keys in /boot/system/data/trust_db/
This is essential for security if we begin offering widespread haiku / haikuports package mirrors.
Design:
- Check repo.minisig against all public keys in /boot/system/data/trust_db/
- Signature verification should be by-passable via:
- Command line flags to pkgman
- Package kit configuration
- A warning should be presented on the CLI when signature verification is bypassed or fails
- Later: Verification failure (without offering "skip verification" flags / options) results in a halted installation of packages.
Change History (8)
comment:1 by , 2 years ago
Milestone: | R1/beta4 → R1/beta5 |
---|
comment:2 by , 18 months ago
Minisign wasn't really written with using it as a library in mind... however I did do a small refactoring to separate the cli logic from the business logic. Might be handy.
https://github.com/kallisti5/minisign/tree/refactor
The alternative is "going it alone" and making our own implementation of minisign. It's mostly bone stock sodium scrypt / ed25519 etc with some custom wrappers to manage trusted/untrusted comments, keys, etc
comment:3 by , 14 months ago
In light of the recent outage, we need to better document the manual process to validate the signatures of the package repositories on Haiku.
Here's the manual method:
pkgman install minisign wget https://eu.hpkg.haiku-os.org/haiku/master/$(getarch)/current/repo -o /tmp/repo-haiku-$(getarch) wget https://eu.hpkg.haiku-os.org/haiku/master/$(getarch)/current/repo.minisig -o /tmp/repo-haiku-$(getarch).minisig minisign -Vm /tmp/repo-haiku-$(getarch) -p /boot/system/data/trust_db/haiku-2019.pub
Ideally the package kit should do this using the public keys in /boot/system/data/trust_db as a source of trust. This isn't foolproof since haikuports can potentially add other sources of validation to this directory... "but it's a start"
comment:4 by , 14 months ago
See https://review.haiku-os.org/c/haiku/+/7088 for a first "quick-and-dirty" solution. Long term this needs to be better and integrated within the package kit since the logic is still a little loose around "getting and validating minisign is valid from the repo you're about to validate"
Fun fact.. this tool uncovered that it doesn't look like haikuports is properly signing repo files.
comment:5 by , 7 months ago
Milestone: | R1/beta5 → R1/beta6 |
---|
comment:6 by , 7 months ago
Milestone: | R1/beta6 → R1/beta5 |
---|
Without this, we still won't be able to do any package mirrors in a safe way. Yet again.
It would be nice to take a look at it before the next release, since a lot of people are having issues reaching our main repository, and having mirrors could help with that (or help confirm that they have real network problems and not just trouble reaching the repo).
comment:7 by , 7 months ago
Without this, we still won't be able to do any package mirrors in a safe way.
Yup. We have had a few people reach out who want to mirror the haiku repo. There are a few mirrors out there, but not many since I have trust issues there without automatic repo signature validation.
It would be nice to take a look at it before the next release, since a lot of people are having issues reaching our main repository
This is a mix of country blocks, or the occasional object storage outage. We had a moderate outage last week where Wasabi had a power failure in their datacenter which knocked them offline for ~12 hours.
Not happening at this point.