Repository signature validation in pkgman via minisign

[kallisti5]

Haiku repositories already have ​https://jedisct1.github.io/minisign/ signature in place:

• ​https://eu.hpkg.haiku-os.org/haiku/master/x86_64/current/repo.minisig

signing...

• ​https://eu.hpkg.haiku-os.org/haiku/master/x86_64/current/repo

The repo file contains sha256 checksums of every hpkg within the repo.

We should check for the presence of a repo.minisig, and validate it against our known / trusted public keys in /boot/system/data/trust_db/

This is essential for security if we begin offering widespread haiku / haikuports package mirrors.

Design:

• Check repo.minisig against all public keys in /boot/system/data/trust_db/
• Signature verification should be by-passable via:
  • Command line flags to pkgman
  • Package kit configuration
• A warning should be presented on the CLI when signature verification is bypassed or fails
• Later: Verification failure (without offering "skip verification" flags / options) results in a halted installation of packages.

[waddlesplash]

Not happening at this point.

[kallisti5]

Minisign wasn't really written with using it as a library in mind... however I did do a small refactoring to separate the cli logic from the business logic. Might be handy.

​https://github.com/kallisti5/minisign/tree/refactor

The alternative is "going it alone" and making our own implementation of minisign. It's mostly bone stock sodium scrypt / ed25519 etc with some custom wrappers to manage trusted/untrusted comments, keys, etc

[kallisti5]

In light of the recent outage, we need to better document the manual process to validate the signatures of the package repositories on Haiku.

Here's the manual method:

pkgman install minisign
wget https://eu.hpkg.haiku-os.org/haiku/master/$(getarch)/current/repo -o /tmp/repo-haiku-$(getarch) 
wget https://eu.hpkg.haiku-os.org/haiku/master/$(getarch)/current/repo.minisig -o /tmp/repo-haiku-$(getarch).minisig
minisign -Vm /tmp/repo-haiku-$(getarch) -p /boot/system/data/trust_db/haiku-2019.pub

Ideally the package kit should do this using the public keys in /boot/system/data/trust_db as a source of trust. This isn't foolproof since haikuports can potentially add other sources of validation to this directory... "but it's a start"

[kallisti5]

See ​https://review.haiku-os.org/c/haiku/+/7088 for a first "quick-and-dirty" solution. Long term this needs to be better and integrated within the package kit since the logic is still a little loose around "getting and validating minisign is valid from the repo you're about to validate"

Fun fact.. this tool uncovered that it doesn't look like haikuports is properly signing repo files.

[pulkomandy]

Without this, we still won't be able to do any package mirrors in a safe way. Yet again.

It would be nice to take a look at it before the next release, since a lot of people are having issues reaching our main repository, and having mirrors could help with that (or help confirm that they have real network problems and not just trouble reaching the repo).

[kallisti5]

Without this, we still won't be able to do any package mirrors in a safe way.

Yup. We have had a few people reach out who want to mirror the haiku repo. There are a few mirrors out there, but not many since I have trust issues there without automatic repo signature validation.

It would be nice to take a look at it before the next release, since a lot of people are having issues reaching our main repository

This is a mix of country blocks, or the occasional object storage outage. We had a moderate outage last week where Wasabi had a power failure in their datacenter which knocked them offline for ~12 hours.

[waddlesplash]

move remaining tickets to beta6