[Whonix-devel] qubes-builder gpg verification security, check for rollback (downgrade) or indefinite freeze attacks
Jason M
nrgaway at gmail.com
Thu Apr 2 22:06:27 CEST 2015
On Thursday, 2 April 2015 08:11:16 UTC-4, Patrick Schleizer wrote:
>
> Hi!
>
> Does qubes-builder check for rollback (downgrade) or indefinite freeze
> attacks [1]?
>
> Threat model:
> - a user who builds from source code
> - building user successfully verified Qubes' source code
> - user doesn't manually ensure after build, that version numbers match,
> doesn't read the build log [unless it stops and shows errors], and
> relies that the verification chain is intact
> - git hosting compromised [2]
> - eventually targeting specific builders
>
> function:
> verify_tag
>
> link:
>
> https://github.com/QubesOS/qubes-builder/blob/7d21e6b7b0a5ab3a68e8acdbc3f540f2221b47c0/scripts/verify-git-tag#L38
>
> code:
> gpg --verify --status-fd=1 $temp_name/content.asc 2>/dev/null|grep -q
> '^\[GNUPG:\] TRUST_\(FULLY\|ULTIMATE\)$'
>
> It does not check freshness? So any older tag/signature would be
> accepted, a rollback attack would succeed?
>
> I am very much into file verification, gpg, wrote gpg-bash-lib [6] where
> I'd appreciate feedback and sometimes report gpg usage security issues
> in other projects. [non-exhaustive list [7]]
>
> Having said that, do you have any other gpg verification code in other
> files that I could look into?
>
I recently implemented some gpg verification of files, not github, in
python. Only added import key and verify.
https://github.com/nrgaway/qubes-app-salt-config/blob/develop-wip/srv/qubes-salt/_modules/gpg.py
https://github.com/nrgaway/qubes-app-salt-config/blob/develop-wip/srv/qubes-salt/_states/gpg.py
https://github.com/nrgaway/qubes-app-salt-config/blob/develop-wip/srv/qubes-salt/_renderers/verify.py
I just finished converting a setup script from bash to python and there is
a small routine that verifies fingerprint matches one from keyserver.
https://github.com/nrgaway/qubes-builder/blob/nrgaway/setup#L927
https://github.com/nrgaway/qubes-builder/blob/nrgaway/.setup.data
> Cheers,
> Patrick
>
> [1] "rollback (downgrade) or indefinite freeze attack"
> Defined as per TUF: Attacks and Weaknesses:
> - https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
> - http://www.webcitation.org/6F7Io2ncN
> [2]
> * In case github gets hacked [3] again.
> * Or in cases similar to:
> * SSL CA's such as DigiNotar was hacked or [4]
> * comodo resellers that got hacked. [5]
> [3]
>
> http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted
> [4] https://en.wikipedia.org/wiki/DigiNotar
> [5]
>
> http://www.scmagazine.com/two-more-comodo-resellers-owned-in-ssl-hack/article/199620/
> [6] https://github.com/Whonix/gpg-bash-lib
> [7] https://phabricator.whonix.org/T245
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.whonix.org/pipermail/whonix-devel/attachments/20150402/9327f0af/attachment.html>
More information about the Whonix-devel
mailing list