pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
pkg/56015: 'pkg_admin audit -s' allows signature from unvalidated key
>Number: 56015
>Category: pkg
>Synopsis: 'pkg_admin audit -s' allows signature from unvalidated key
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Feb 23 16:45:00 +0000 2021
>Originator: Jan Schaumann
>Release: NetBSD 8.0
>Organization:
>Environment:
System: NetBSD panix.netmeister.org 8.0 NetBSD 8.0 (PANIX-VC) #0: Fri May 3 16:47:37 EDT 2019 root%juggler.panix.com@localhost:/misc/obj64/misc/devel/netbsd/8.0/src/sys/arch/amd64/compile/PANIX-VC amd64
Architecture: x86_64
Machine: amd64
>Description:
When running 'pkg_admin audit -s', merely having imported the pkgsrc-security@ key
appears to be sufficient for validation. That is, even though the key is not validated,
'pkg_admin audit' will accept the signature.
Now this can be interpreted to be correct in that validation of the signature
does correctly take place, but from a trust perspective, it seems surprising
that a signature from an unvalidated key is accepted.
For example:
$ gzip -d -c /var/db/pkg/pkg-vulnerabilities | gpg --verify
gpg: Signature made Tue Feb 23 11:51:37 2021 UTC using RSA key ID 3A3A469E
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>"
gpg: aka "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FD70 3B89 644C 8B64 0DE9 4281 1F59 1DA3 3A3A 469E
$ echo $0
0
This shows that the signature is valid, but also gives us a warning that
the key is not verified.
Ideally, 'pkg_admin audit' would require the key to be validated (i.e.,
gpg was able to build a trustpath to a fully trusted key from the signatures
on the key) or at least show a warning like gpg does above.
After all, a signature being valid does not provide any security guarantees
beyond integrity without assurance of authenticity.
>How-To-Repeat:
pkg_admin audit -s
>Fix:
Perhaps an additional flag that mandates a validated key in addition to a valid
signature? That way, 'pkg_admin audit -s' would retain the current behavior,
but people seeking full validation could run 'pkg_admin audit -sv' or something
like that.
>Unformatted:
Home |
Main Index |
Thread Index |
Old Index