Can I make sure no tampered package is installed?

To: NetBSD tech-security <tech-security%NetBSD.org@localhost>
Subject: Can I make sure no tampered package is installed?
From: hrcerq <hrcerq%disroot.org@localhost>
Date: Sat, 28 Oct 2023 13:28:41 -0300

Hi again. Recently I asked about image and sets signatures. Making sure
the system is properly verified was a bit of a relief. Now, with that
out of the way, I have a similar concern regarding packages.

Reading through pkg_add(1) man page I noticed it rightfully warns about
the perils of installing a package without some basic measures, one of
such being the use of digital signatures to verify the package. But
here's where I begin to get confused:

* Where are these signatures supposed to be found?
* Is there some convention on how they're obtained?
* Should it be distributed together with binary packages? If so, I
  couldn't find them (on cdn.NetBSD.org).

It also mentions pkg_install.conf(5), which in turn describes some
interesting variables, such as CERTIFICATE_ANCHOR_PKGS, GPG,
GPG_KEYRING_VERIFY. Apparently, they're all unset by default. And most
importantly, there's VERIFIED_INSTALLATION, which is nice to enforce
verification, but is of no use if no package can be verified.

I also checked out pkgsrc help on SIGN_PACKAGES topic to see that both
X.509 and OpenPGP are valid options for package signing (and also not
signing at all, which is default). And that confused me even further: 

* Are binary packages expected to be signed? If so, by which method?
* If they are, shouldn't NetBSD already ship a trusted gpg public
  keyring and/or a trusted X.509 certificate?
* For GPG, would netpgp (which is already shipped with NetBSD) be an
  option? Or must it be really gpg (which would have to be installed
  first and has a lot of extra dependencies)?
* I checked out one of the NetBSD presentations, the pkgsrc hardening
  one [1], and it mentions the use of libnetpgpverify for pkg_add. Does
  that still apply?

[1] http://netbsd.org/gallery/presentations/khorben/eurobsdcon2017/Hardening%20pkgsrc.pdf

Going even further, there's pkgin(1), which also does not mention
anything related to signing/verifying.

* Does it rely on pkg_install.conf for that?
* Should I assume that transfers between pkgin and the repository are
  unsafe?

As a test, I set VERIFIED_INSTALLATION to "always", and then used pkgin
to install a package. The package was installed, but I saw no
verification output, so I'm not really confident it relies on that or
that any verification was performed.

Also, I'd like to know if pkgsrc tree tar file is digitally signed as
well. I know getting the tree using CVS through ssh is possible and
that it's supposedly a safe method, but the same couldn't be said
about the tar file, which is convenient for a first fetch. Can I get it
via scp?

Well, that's it. I know it's a lot of questions, but they're all
closely related, so I think asking them all at once makes sense.

Thanks for the help.

-- 
Best regards,
@hrcerq

Prev by Date: Re: Authenticity enforcement in NetBSD distfiles
Next by Date: NetBSD Security Advisory 2023-007: multiple vulnerabilities in ftpd(8)
Previous by Thread: Authenticity enforcement in NetBSD distfiles
Next by Thread: NetBSD Security Advisory 2023-007: multiple vulnerabilities in ftpd(8)
Indexes:

Home | Main Index | Thread Index | Old Index