pkg/56015: 'pkg_admin audit -s' allows signature from unvalidated key

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/56015: 'pkg_admin audit -s' allows signature from unvalidated key
From: jschauma%netmeister.org@localhost
Date: Tue, 23 Feb 2021 16:45:00 +0000 (UTC)

>Number:         56015
>Category:       pkg
>Synopsis:       'pkg_admin audit -s' allows signature from unvalidated key
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 23 16:45:00 +0000 2021
>Originator:     Jan Schaumann
>Release:        NetBSD 8.0
>Organization:
	
>Environment:
	
	
System: NetBSD panix.netmeister.org 8.0 NetBSD 8.0 (PANIX-VC) #0: Fri May 3 16:47:37 EDT 2019 root%juggler.panix.com@localhost:/misc/obj64/misc/devel/netbsd/8.0/src/sys/arch/amd64/compile/PANIX-VC amd64
Architecture: x86_64
Machine: amd64
>Description:

When running 'pkg_admin audit -s', merely having imported the pkgsrc-security@ key
appears to be sufficient for validation.  That is, even though the key is not validated,
'pkg_admin audit' will accept the signature.

Now this can be interpreted to be correct in that validation of the signature
does correctly take place, but from a trust perspective, it seems surprising
that a signature from an unvalidated key is accepted.

For example:

$ gzip -d -c /var/db/pkg/pkg-vulnerabilities | gpg --verify
gpg: Signature made Tue Feb 23 11:51:37 2021 UTC using RSA key ID 3A3A469E
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>"
gpg:                 aka "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FD70 3B89 644C 8B64 0DE9  4281 1F59 1DA3 3A3A 469E
$ echo $0
0

This shows that the signature is valid, but also gives us a warning that
the key is not verified.

Ideally, 'pkg_admin audit' would require the key to be validated (i.e., 
gpg was able to build a trustpath to a fully trusted key from the signatures
on the key) or at least show a warning like gpg does above.

After all, a signature being valid does not provide any security guarantees
beyond integrity without assurance of authenticity.

>How-To-Repeat:

pkg_admin audit -s

>Fix:

Perhaps an additional flag that mandates a validated key in addition to a valid
signature?  That way, 'pkg_admin audit -s' would retain the current behavior,
but people seeking full validation could run 'pkg_admin audit -sv' or something
like that.


>Unformatted:

Prev by Date: Re: pkg/56004
Next by Date: pkg/56016: The current version of devel/py-tortoisehg does not work with the current version of hg
Previous by Thread: Re: pkg/56004
Next by Thread: pkg/56016: The current version of devel/py-tortoisehg does not work with the current version of hg
Indexes:

Home | Main Index | Thread Index | Old Index