Opened 3 years ago
Last modified 6 months ago
#17331 new enhancement
Repository signature validation in pkgman via minisign
Reported by: | kallisti5 | Owned by: | nobody |
---|---|---|---|
Priority: | high | Milestone: | R1/beta5 |
Component: | Kits/Package Kit | Version: | R1/Development |
Keywords: | packages minisig security sprint | Cc: | |
Blocked By: | Blocking: | ||
Platform: | All |
Description
Haiku repositories already have https://jedisct1.github.io/minisign/ signature in place:
signing...
The repo file contains sha256 checksums of every hpkg within the repo.
We should check for the presence of a repo.minisig, and validate it against our known / trusted public keys in /boot/system/data/trust_db/
This is essential for security if we begin offering widespread haiku / haikuports package mirrors.
Design:
- Check repo.minisig against all public keys in /boot/system/data/trust_db/
- Signature verification should be by-passable via:
- Command line flags to pkgman
- Package kit configuration
- A warning should be presented on the CLI when signature verification is bypassed or fails
- Later: Verification failure (without offering "skip verification" flags / options) results in a halted installation of packages.
Change History (4)
comment:1 by , 18 months ago
Milestone: | R1/beta4 → R1/beta5 |
---|
comment:2 by , 10 months ago
Minisign wasn't really written with using it as a library in mind... however I did do a small refactoring to separate the cli logic from the business logic. Might be handy.
https://github.com/kallisti5/minisign/tree/refactor
The alternative is "going it alone" and making our own implementation of minisign. It's mostly bone stock sodium scrypt / ed25519 etc with some custom wrappers to manage trusted/untrusted comments, keys, etc
comment:3 by , 6 months ago
In light of the recent outage, we need to better document the manual process to validate the signatures of the package repositories on Haiku.
Here's the manual method:
pkgman install minisign wget https://eu.hpkg.haiku-os.org/haiku/master/$(getarch)/current/repo -o /tmp/repo-haiku-$(getarch) wget https://eu.hpkg.haiku-os.org/haiku/master/$(getarch)/current/repo.minisig -o /tmp/repo-haiku-$(getarch).minisig minisign -Vm /tmp/repo-haiku-$(getarch) -p /boot/system/data/trust_db/haiku-2019.pub
Ideally the package kit should do this using the public keys in /boot/system/data/trust_db as a source of trust. This isn't foolproof since haikuports can potentially add other sources of validation to this directory... "but it's a start"
comment:4 by , 6 months ago
See https://review.haiku-os.org/c/haiku/+/7088 for a first "quick-and-dirty" solution. Long term this needs to be better and integrated within the package kit since the logic is still a little loose around "getting and validating minisign is valid from the repo you're about to validate"
Fun fact.. this tool uncovered that it doesn't look like haikuports is properly signing repo files.
Not happening at this point.