AW: Re: repos providing only md5 sums
Hello, for the sake of completeness: Fredrik and I starten looking into how we can secure the Ports distribution. Regards, Thomas -------- Ursprüngliche Nachricht -------- Von: Fredrik Rinnestam <fredrik@rinnestam.se> Datum: 23.03.2016 10:31 (GMT+01:00) An: crux@lists.crux.nu Betreff: Re: repos providing only md5 sums On Wed, Mar 23, 2016 at 10:29:44AM +0100, Erich Eckner wrote:
On 23.03.2016 09:58, Fredrik Rinnestam wrote:
On Wed, Mar 23, 2016 at 07:38:37AM +0100, Erich Eckner wrote:
On 21.03.2016 21:36, Dutch Ingraham wrote:
On Mon, Mar 21, 2016 at 08:31:00AM +0100, Thomas Penteker wrote:
To fill the missing link to providing integrity and confidentiality, we should start cryptographically signing ports on the maintainer's side and check these signatures before building/downloading anything.
I think, we should definitely allow for signing and verification. However: what's a useful approach for checking Pkgfiles? It's not pkgmk's job, because we want to be able to edit the file. So I think, "ports -u" should check the signature of Pkgfile and pkgmk the ones of the sources?
The current idea is to have git commits signed. This would sign the sha256 checksum and a "trusted" chain is established.
This sounds like a much cleaner solution than signing every individual file.
we will obviously lose this when syncing ports with rsync since only files are synced. This needs to be solved.
Maybe, the hash and signature can be added to the synced files (of course not versioned in git). I don't know the details of the hashing in git, but in the end it's a hash of hashes of the files (and file permissions, locations, ...) and some extra information like commit message and parents? So given the extra info, one would be able to calculate the hash "by hand" and verify the signature?
I know, it sounds hackish - probably not a good idea :-/
On the other hand: I just noticed, that '--no-check-certificate' is passed as an argument to wget. Why isn't assumed, that a proper certificate is installed? Can this be configured somewhere?
Iirc thats not a default setting. It can be changed in /etc/pkgmk.conf: PKGMK_WGET_OPTS=""
I didn't have any PKGMK_WGET_OPTS defined in /etc/pkgmk.conf (nor in the Pkgfile), also setting PKGMK_WGET_OPTS="" explicitely didn't change anything :-/
cheers, Erich
Yeah I just noticed its hard-coded in pkgmk. You could switch to curl instead - dont think it's hardcoded there. I'll open up a bugreport for the wget issue -- Fredrik Rinnestam _______________________________________________ CRUX mailing list CRUX@lists.crux.nu https://lists.crux.nu/mailman/listinfo/crux
participants (1)
-
Thomas Penteker