Mailing List Archive

Package signing and distribution
Hi to all!

I've recently seen the outbreak of "violence" concerning signing packages or
rather files in the Gentoo portage system. I am currently working on a system
which does exactly this signing process with an addon library I've written
myself (so, no need for gpg, just Python + module). I've devised quite an
intricate scheme of checks and balances, which amounts to the following:

1. have a master "Gentoo" key, which is kept by the Gentoo RelEng, which only
signs other keys and a list of keys removed from circulation, no ebuilds.
2. have each developer create a keypair for themselves, send their public key
to the RelEng via some form of _safe_ channel (this is important), and have
the RelEng send back the signed key to the developer.
3. have each developer sign his/her packages with their own key.

Keys are distributed via a P2P network with large-scale replication, just as
are files from the portage tree. As there is large-scale replication (not
just some hundred servers, but rather thousands of them), and each user can
check whether the file he/she receives is valid (by verifying the signature
on the key which was found to have a correct signature on the corresponding
file), there'll be no corruption of the data on the network (at least it'll
be very hard to achieve), as invalid data sent to a remote host for
caching/processing is simply discarded. And, to have control over the system
(well, rather to DOS it), an attacker would have to inject lots of machines
under his control into the system (so that he could forge certain areas of
the distributed hash table address space). But this is near impossible for a
large scale network.

The only key which needs to be distributed in a safe form is the Gentoo master
key, which is used to sign all other keys. This is similar to distributing a
CA key, and should be easy to implement (for example, if you don't trust your
network connection, order the one single key on CD via snail-mail).

Anyway, if anybody is interested in working on this with me, mail me. I don't
have much time at the moment, and I've been working on this about half a year
now, but I guess as the end of year draws nearer, I might actually be getting
somewhere near a working implementation of this sometime soon, and should be
there even faster if someone else is interested in making it work with me.

Concerning security: read up on Kademlia, and its near indestructibility when
many hosts are attached and the large attack base needed to DOS it (and I
guess that many Gentoo users who have a permanent/near permanent internet
connection will gladly offer up a little bandwith to create a large
distributed hash table, at least I would).

And on another note: this makes overlays unnecessary. At least in my theory
everybody may inject ebuilds signed with his key into the system (each host
accepts a certain amount of "non-Gentoo" ebuilds), and each user may decide
that he trusts a certain non-Gentoo ebuild writer so much that he wants these
ebuilds integrated into the main portage tree (so that they are not discarded
when being downloaded). This is pretty much like an overlay, but invisible to
the user, and more transparent.

Anyway, my english is bad tonight, I'm tired from being at university the
whole day, and I have two exams this week, but anyway, if you're interested
in this, just mail me, and I'll gladly send you the sources I have ready,
they're written using Twisted and Sophie
(http://www.heim-d.de/~heikowu/Crypto), both Python modules which are pretty
lightweight to install additionally to Python itself.

Heiko.

--
gentoo-security@gentoo.org mailing list
Re: Package signing and distribution [ In reply to ]
Heiko Wundram writes:

> I am currently working on a system which does exactly
> this signing process with an addon library I've written
> myself (so, no need for gpg, just Python + module).

I _think_ that a very similar system does exist already:

http://www.venge.net/monotone/

I can't be certain, but from your description it sounds
quite familiar. In fact, I had thought about recommending
Monotone as a means for distributing the Portage tree
instead of using CVS/rsync, but I think also that such a
fundamental change would take ages to get organized.

However, if a distribution / versioning scheme like that
would be used by Gentoo, it would be really nice, IMHO.

Peter


--
gentoo-security@gentoo.org mailing list
Re: Package signing and distribution [ In reply to ]
On Mon, Nov 08, 2004 at 07:03:33PM +0100, Heiko Wundram wrote:
>
> 1. have a master "Gentoo" key, which is kept by the Gentoo RelEng, which only
> signs other keys and a list of keys removed from circulation, no ebuilds.
> 2. have each developer create a keypair for themselves, send their public key
> to the RelEng via some form of _safe_ channel (this is important), and have
> the RelEng send back the signed key to the developer.
> 3. have each developer sign his/her packages with their own key.


This is the right approach in my opinion.

1 master key, that signs Gentoo dev keys. Keep it very secure, and make sure that isn't comprimised.
Gentoo devs sign the ebuilds that they commit.

It solves a problem - a big problem - namely authenticity and integrity of ebuilds from the gentoo developers machine to my machine.
The method for getting the ebuilds to me doesn't have to change at all.

It doesn't, and nothing can, stop a rogue developer, or the person that actually writes the application/package from tainting the package, although it would stop anyone changing the package **after** the ebuild was written.

Maybe make all the current developer keys a part of the protage sync.


I think everyone that has posted to this list is trying to help - we all want Gentoo to be as secure as it can be. We all have to trust someone eventually. Signed ebuilds would mean that we didn't need to trust any part of the infrastructure from the Gentoo developer machines to our machines.


Calum


--
gentoo-security@gentoo.org mailing list