Marek Marczykowski-G贸recki:
> On Fri, Apr 03, 2015 at 04:06:48PM +0000, Patrick Schleizer wrote:
>> Marek Marczykowski-G贸recki:
>>> On Thu, Apr 02, 2015 at 12:11:03PM +0000, Patrick Schleizer wrote:
>>>> function:
>>>> verify_tag
>>>>>>> link:
>>>> https://github.com/QubesOS/qubes-builder/blob/7d21e6b7b0a5ab3a68e8acdbc3f540f2221b47c0/scripts/verify-git-tag#L38
>>>>>>> code:
>>>> gpg --verify --status-fd=1 $temp_name/content.asc 2>/dev/null|grep -q
>>>> '^\[GNUPG:\] TRUST_\(FULLY\|ULTIMATE\)$'
>>>>>>> It does not check freshness? So any older tag/signature would be
>>>> accepted, a rollback attack would succeed?
>>>>>> Yes, older tag/signature would be accepted in this function. But when
>>> verified, it is *merged* into local sources, not *reseted*. So if you have
>>> newer sources (in terms of git history) already downloaded it will not
>>> downgrade it. Personally I use combo make prepare-merge + do-merge,
>>> which additionally show me color coded info if the merge is
>>> fast-forward or not (in addition to all the new commits to be merged).
>>> Perhaps we should even introduce an option to fail on non-fast-forward
>>> updates.
>>>>>> It doesn't protect you in any way against such type of attacks during
>>> first time source download. But you can easily list version tags
>>> (including release tags) - make show-vtags - and check if the versions
>>> are what you've expected.
>>> Git merge rather than reset is useful indeed. Prevents people who
>> already got the sources from being targetd for rollback (downgrade)
>> attacks. Wouldn't prevent indefinite freeze attacks, though.
>>> Also users who get the source for the very first time are more at risk?
>> At that point, nothing protects them from rollback (downgrade) attacks?
>>> That's my main target audience here. People who prefer to build from
>> source code to make sure they don't get backdoored by eventual backdoors
>> in the binary builds injected by the build machine during build. [Not
>> claiming any backdoor by the Qubes team. But build machines seem
>> worthwhile targets to me for powerful adversaries.] Building from source
>> code is a cheap way to prevent those. But if they buy that advantage of
>> cost of eventual targeted rollback (downgrade) attacks, that's non-ideal.
>> AFAIK preventing this problem would require refreshing some signature
> periodically, right?
Similar to the Valid-Until field in Debian apt release files [and other
package managers that use similar fields]:
http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html
Well, that would be ideal, but that would also be something that the one
who provides the file and signature would have to do, i.e. upstream. So
if you wanted to do this, you could only do this for your own signatures
and could only try to convince upstream of doing it as well. Worthwhile,
sure, but unlikely to happen for every upstream.
> This is also not ideal because of manual work
> required for that.
Yes.
> But maybe worth the effort?
Definitively.
> Maybe it is enough to add
> another section in our warrant canaries (list of most recent tags on
> source code)?
Dunno. Any place works as long as it's checked during build.
> I guess 3-month isn't frequent enough...
Yes.
>>>> Having said that, do you have any other gpg verification code in other
>>>> files that I could look into?
>>>>>> Some components downloads additional sources - like kernel, KDE, etc. There
>>> is also code to verify that downloads - just a simple gpg -v with
>>> isolated keyring (one key in most cases). That keyring isolation is
>>> provided by qubes-builder (scripts/get-sources). When upstream do not
>>> provide signatures, we have file hashes committed into the git repo.
>>> This code is in Makefiles in those repositories:
>>> - linux-kernel
>>> - desktop-linux-kde
>>> - desktop-linux-xfce
>>> - vmm-xen
>>> - core-libvirt
>>> I see. Checked linux-kernel. Code:
>>> @xzcat $(SRC_FILE) | gpg -q --verify $(SIGN_FILE) - 2>/dev/null
>>> I don't think this is safe.
>>> Quote Werner Koch (gnupg lead developer):
>> http://lists.gnupg.org/pipermail/gnupg-devel/2005-December/022559.html
>>> "there is no clear distinction between the codes and for proper error
>> reporting you are advised to use the --status-fd messages."
>> AFAIR this applies mostly to verifying key validity/trust. In our case
> it shouldn't be a problem because of dedicated keyring with just the
> key(s) to verify given component.
Not sure. I specifically asked about this on gnupg-users mailing list.
'Are there cases where gpg --verify will exit 0, even if verification
failed?'
https://lists.gnupg.org/pipermail/gnupg-users/2015-January/052232.html
While I was not told any specific example as a great deterrence, my
conclusion is, that gpg exit codes are totally not to be relied on.
> But indeed it would be good idea to
> switch to either --status-fd, or gpgv (or both).
Yes.
Other options to consider (just consider, not arguing they are great,
better, whatsoever):
- gpg2
- gppv2
Another subtlety to consider, checksec.sh on Debian wheezy reports, that
gpg[v] has Partial RELRO and NO PIE vs gpg[v]2 that has FULL RELRO and PIE.
***
A related point I would like to raise is another common misconception or
unpopular fact about OpenPGP signatures. You might be aware of it, but I
would invite you to specifically think it through wtr to the Qubes file
[not git] verification code.
OpenPGP signatures do sign files. Not file names.
Names of files are not part of OpenPGP signatures. When file and
signature is renamed, the OpenPGP signature remains valid. So version
information taken from names of files is untrustworthy.
In other words, when using "gpg --armor --detach-sign
some-file-version-c" a file: some-file-version-c.asc will be created.
But an adversary position to arbitrarily change file names on a mirror
[for targeted attacks] or so could rename it to some-file-version-d and
some-file-version-d.asc. Or in other words, the adversary could have
changed the name of the files to some-file-version-d[.asc], while in
reality it was just some-file-version-c[.asc].
See also:
https://lists.gnupg.org/pipermail/gnupg-users/2015-January/052185.html
One could "use OpenPGP notations to include the legitimate names of
files to prevent file name tampering" as I suggested here in a slightly
different context:
https://trac.torproject.org/projects/tor/ticket/14187
Those OpenPGP notations are also included in status-fd.
But that's something the provider of the OpenPGP signature, i.e.
upstream would have to do.
Since convincing upstream to do this is time consuming, takes a while
until they implement it, and may not always work, I think the best that
could be done until then or as a stopgap, would be extracting the
signature creation date of the signature from status-fd and comparing it
with the expected value. (Signature creation date is part of the OpenPGP
signature and tamper resistant. [1])
Cheers,
Patrick
[1] https://lists.gnupg.org/pipermail/gnupg-users/2013-March/046218.html
More information about the Whonix-devel
mailing list
“Look here!” Dick began to chuckle. “We’ve got a queer combination to work with—our Sky Patrol has! Suspicious Sandy—and—Superstitious Jeff!” Sandy grinned ruefully, a little sheepishly. Larry smiled and shook his head, warning Dick not to carry his sarcasm any further, as Jeff frowned. 52 "You do doubt me. If you did not, it would never occur to you to deny it. You doubt me now, and you will doubt me still more if you don't read it. In justice to me you must." "That same. She was part Mescalero, anyway." This Act, as disgraceful as any which ever dishonoured the statute-book in the reigns of the Tudors or Stuarts, was introduced into the Commons, on the 12th of May, by Sir William Wyndham, and was resolutely opposed by the Whigs, amongst whom Sir Peter King, Sir Joseph Jekyll, Mr. Hampden, Robert Walpole, and General Stanhope distinguished themselves. They did not convince the majority, which amounted to no less than two hundred and thirty-seven to one hundred and twenty-six. In the Lords, Bolingbroke himself moved the second reading, and it was ably opposed by the Lords Cowper, Wharton, Halifax, Townshend, Nottingham, and others. The greatest curiosity was displayed regarding the part which Oxford would take, as it was known that in the Council he had endeavoured to soften the rigorous clauses; but in the House he followed his usual shuffling habit, declaring that he had not yet considered the question; and, having induced the Opposition to let the second reading pass without a division, he absented himself from the final voting, and thus disgusted both parties and hastened his own fall. The battle of Falkirk, which in itself appeared so brilliant an affair for Prince Charles, was really one of his most serious disasters. The Highlanders, according to their regular custom when loaded with plunder, went off in great numbers to their homes with their booty. His chief officers became furious against each other in discussing their respective merits in the battle. Lord George Murray, who had himself behaved most bravely in the field, complained that Lord John Drummond had not exerted himself, or pursuit might have been made and the royal army been utterly annihilated. This spirit of discontent was greatly aggravated by the siege of the castle of Stirling. Old General Blakeney, who commanded the garrison, declared he would hold out to the last man, in spite of the terrible threats of Lord George Murray if he did not surrender. The Highlanders grew disgusted with work so contrary to their habits; and, indeed, the French engineer, the so-called Marquis de Mirabelle, was so utterly ignorant of his profession, that the batteries which he constructed were commanded by the castle, and the men were so much exposed that they were in danger of being destroyed before they took the fortress. Accordingly, on the 24th of January they struck to a man, and refused to go any more into the trenches. "Haint we bit off more'n we kin chaw. Shorty?" asked Si, as he looked over the increasing gang. "Hadn't we better ask for some help?" "How far would it carry?" Corpril, Company Q, 2 Hundsrdth Injiamiy Volintear "He d?an't care much. F?ather, he likes to be comfortable, and this Inclosure w?an't make much difference to that. 'T?un't as if we wanted the pasture badly, and F?ather he d?an't care about land." "Byles," interrupted Calverley, speaking rapidly, "you are poor—you are in arrear with your rent; a distress will be levied, and then what will become of you—of your wife and the little one? Listen to me! I will give you money to keep a house over your head; and when I am steward, you shall have the first farm at my lord's disposal, if you will only aid me in my revenge! Revenge!" he repeated, vehemently—"but you hesitate—you refuse." "Yes, yes, there is little doubt of that: but how can we come at the truth? Sudbury still retains his wrath against us, and would oppose an arrest; and even could he be waylaid, and brought hither, he is stubborn, and might refuse to answer." HoME一级做人爱c视正版免费
ENTER NUMBET 0017 salefj.com.cn www.shuohuaba.com.cn xuxue3.com.cn yashi1.com.cn www.laduo6.com.cn chabu8.net.cn www.maofu7.net.cn nasuo5.net.cn www.08211.com.cn www.03862.com.cn