Announcement/warning: verification of git tag signatures in qubes-builder was broken
107 views
Skip to first unread message
Marek Marczykowski-Górecki
Mar 2, 2018, 7:06:33 PM3/2/18
to qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Qubes Community,
Simon Gaiser has found a bug in the signed tags verification script. It
was possible to craft a signed tag that would pass the verification even
though the signature did not match that tag. To exploit this issue,
an attacker would need to perform either effective man-in-the-middle attack
(default qubes-builder configuration use HTTPS when connecting to
github), or a write access to one of our repositories. We don't believe
any of those have happened, but since we consider infrastructure
untrusted, this bug is a security issue.
We advise all users/developers having local qubes-builder clone to
either:
1) perform fresh qubes-builder clone, in new VM, manually verifying its
signature - to mitigate effects of potential compromise, or
2) update qubes-builder, performing manual tag verification this one time:
cd qubes-builder
git fetch origin
git tag -v $(git describe --exact-match origin/master)
# double check the output of the above command, should have "Good
# signature from ..." and *not* "WARNING: This key is not certified
# with a trusted signature!"
git merge --ff-only origin/master
The top commit should be: 9674c1991deef45b1a1b1c71fddfab14ba50dccf
"Fix git tag verification"
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqZ5s8ACgkQ24/THMrX
1yyQCAf/SjWk5/R7B4MvWLgu+bq1L6mV8RcJ4ESrVLLWcr9bbqMHVQwKsAkdXU64
tYyScjo0HUoxWjfolMLy5iyM5NCfOrBg8yw84Gjj4Hc4rtRcAGHrClNgt9FXMZfY
sKnsxiKAtjrz/xF/Z2hupPtEBfyOgW19dzvsKrogtEBbvM81iGtYbgZ+t0PRw4Zh
u00Y7MRqEPtK5D9zlpxr+jNDS7Z3WU2SKi81egMFcQs0aeO9M2CgPsbnJQKTPCLs
aDFpj+1dd2GHnR0Vd72YML35XWZgMBlGBb0pUAcXcalt7p1aSmTKEJuslFSoFdql
CnA6TdFGEzdAEd3CbiGvkhAr1LjFwA==
=/dYF
-----END PGP SIGNATURE-----
Hash: SHA256
Dear Qubes Community,
Simon Gaiser has found a bug in the signed tags verification script. It
was possible to craft a signed tag that would pass the verification even
though the signature did not match that tag. To exploit this issue,
an attacker would need to perform either effective man-in-the-middle attack
(default qubes-builder configuration use HTTPS when connecting to
github), or a write access to one of our repositories. We don't believe
any of those have happened, but since we consider infrastructure
untrusted, this bug is a security issue.
We advise all users/developers having local qubes-builder clone to
either:
1) perform fresh qubes-builder clone, in new VM, manually verifying its
signature - to mitigate effects of potential compromise, or
2) update qubes-builder, performing manual tag verification this one time:
cd qubes-builder
git fetch origin
git tag -v $(git describe --exact-match origin/master)
# double check the output of the above command, should have "Good
# signature from ..." and *not* "WARNING: This key is not certified
# with a trusted signature!"
git merge --ff-only origin/master
The top commit should be: 9674c1991deef45b1a1b1c71fddfab14ba50dccf
"Fix git tag verification"
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqZ5s8ACgkQ24/THMrX
1yyQCAf/SjWk5/R7B4MvWLgu+bq1L6mV8RcJ4ESrVLLWcr9bbqMHVQwKsAkdXU64
tYyScjo0HUoxWjfolMLy5iyM5NCfOrBg8yw84Gjj4Hc4rtRcAGHrClNgt9FXMZfY
sKnsxiKAtjrz/xF/Z2hupPtEBfyOgW19dzvsKrogtEBbvM81iGtYbgZ+t0PRw4Zh
u00Y7MRqEPtK5D9zlpxr+jNDS7Z3WU2SKi81egMFcQs0aeO9M2CgPsbnJQKTPCLs
aDFpj+1dd2GHnR0Vd72YML35XWZgMBlGBb0pUAcXcalt7p1aSmTKEJuslFSoFdql
CnA6TdFGEzdAEd3CbiGvkhAr1LjFwA==
=/dYF
-----END PGP SIGNATURE-----
Alex Dubois
Mar 3, 2018, 11:40:06 AM3/3/18
to qubes-devel
I was in the process of bootstrapping qubes-builder on a windows machine using adubois/qubes-builder-windows which was forked on github few days back.
on launching script/get-be.ps1 (on empty disk)
the script, after importing qubes master signing key 0x36879494
and a number of developers-keys (Marek being 42CFA724)(which had already been imported (so message not-changed) I have the following error on qubes-builder tag verification:
Signature made Sat Mar 3 00:03:11 2018 GMTST
using RSA key 063938BA42CFA724
Can't check signature: public key not found
Failed to verify qubes-builder! Output:
object 9674c1991deef45b1a1b1c71fddfab14ba50dccf type commit tag mm_9674c199 tagger Marek Marczykowski-GXXrecki <marm...@invisiblethingslab.com> 1520035393 +0100 Tag for commit 9674c1991deef45b1a1b1c71fddfab14ba50dccf
Hopefully I haven't made a typo...
I am not sure what to do.
The script automatically does option1 by performing a git clone of QubesOS/qubes-builder
Thanks in advance for the help.
Alex
Alex Dubois
Mar 3, 2018, 11:46:07 AM3/3/18
to qubes-devel
I had gpg already installed and the binaries (if not already installed) and pulled and copied in the qubes-builder/cache/windows-prereqs
I need to dig a bit more into the problem.
TimW
Mar 4, 2018, 1:28:49 AM3/4/18
to qubes-devel
Ran the manual verification cmds below is output:
[user@Build-Qubes qubes-builder]$ git fetch origin
[user@Build-Qubes qubes-builder]$ git tag -v $(git describe --exact-match origin/master)
object 9674c1991deef45b1a1b1c71fddfab14ba50dccf
type commit
tag mm_9674c199
tagger Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> 1520035393 +0100
type commit
tag mm_9674c199
Tag for commit 9674c1991deef45b1a1b1c71fddfab14ba50dccf
gpg: Signature made Fri 02 Mar 2018 07:03:11 PM EST using RSA key ID 42CFA724
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes OS signing key) <marm...@invisiblethingslab.com>"
[user@Build-Qubes qubes-builder]$ git merge --ff-only origin/master
Already up-to-date.
[user@Build-Qubes qubes-builder]$
----------------------------------------
All the above looks the expected output...Good. But...............
Now upon the ./setup building templates get sources update the following builder templates....
For builder-fedora:
-> Updating sources for builder-fedora... │
│ --> Fetching from https://github.com/QubesOS/qubes-builder-fedora.git mast │
│ --> Verifying tags... │
│ No valid signed tag found! │
│ ---> One of invalid tag: │
│ object a9b47491455a613ae451dfc9a2be947b08e57f73 │
│ type commit │
│ tag mm_a9b47491 │
│ tagger Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> 15199 │
│ │
│ Tag for commit a9b47491455a613ae451dfc9a2be947b08e57f73 │
│ Makefile:190: recipe for target 'builder-fedora.get-sources' failed
And for builder-debian:
-> Updating sources for builder-debian...
│
--> Fetching from https://github.com/QubesOS/qubes-builder-debian.git master...
--> Verifying tags...
No valid signed tag found! ---> One of invalid tag:
object a2ed158fd8b3c53ea608b282875f875b6329bb82 type commit tag mm_a2ed158f tagger Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> 1519333268 +0100
Tag for commit a2ed158fd8b3c53ea608b282875f875b6329bb82
Makefile:190: recipe for target 'builder-debian.get-sources' failed
And for builder-centos:
-> Updating Sources for builder-centos....
--> Fetching from https://github.com/QubesOS/qubes-builder-centos.git mast
--> Verifying tags...
No valid signed tags found!
One of the invalid tag:
object cfc7d315cfdfe493a86f103a0825ba630339ab8f
tag commmit
tag mm_cfc7d315
tagger Marek Marczykowski-Gorecki <marm...@invisiblethingslab.com> 15196
Tag for commit cfc7d315cfdfe493a86f103a0825ba630339ab8f
Makefile:190: recipe for target 'builder-centos.get-sources' failed
Marek Marczykowski-Górecki
Mar 4, 2018, 7:29:11 AM3/4/18
to TimW, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Sat, Mar 03, 2018 at 10:28:49PM -0800, TimW wrote:
> Now upon the ./setup building templates get sources update the following builder templates....
>
> For builder-fedora:
>
> -> Updating sources for builder-fedora... │
> │ --> Fetching from https://github.com/QubesOS/qubes-builder-fedora.git mast │
> │ --> Verifying tags... │
> │ No valid signed tag found! │
> │ ---> One of invalid tag: │
> │ object a9b47491455a613ae451dfc9a2be947b08e57f73 │
> │ type commit │
> │ tag mm_a9b47491 │
> │ tagger Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> 15199 │
> │ │
> │ Tag for commit a9b47491455a613ae451dfc9a2be947b08e57f73 │
> │ Makefile:190: recipe for target 'builder-fedora.get-sources' failed
What template you use there? Fixed code use `git verify-tag --raw`
> Now upon the ./setup building templates get sources update the following builder templates....
>
> For builder-fedora:
>
> -> Updating sources for builder-fedora... │
> │ --> Fetching from https://github.com/QubesOS/qubes-builder-fedora.git mast │
> │ --> Verifying tags... │
> │ No valid signed tag found! │
> │ ---> One of invalid tag: │
> │ object a9b47491455a613ae451dfc9a2be947b08e57f73 │
> │ type commit │
> │ tag mm_a9b47491 │
> │ tagger Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> 15199 │
> │ │
> │ Tag for commit a9b47491455a613ae451dfc9a2be947b08e57f73 │
> │ Makefile:190: recipe for target 'builder-fedora.get-sources' failed
command, which is "only" 3 years old (git >= 2.6.0).
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
1yzqIAf+LdhGn+2n/3O6kiRiJSiz+5g1VZb8s071PN3/WjkyJrMEfhuK2c4s4d12
RaFZ62nIr8xyKsEQCHYcy+5hysr5R0ddznDsJdl4x5WITr84GPIyWadAf7SEXBsA
Bs/5CuQmT7uVfoPNyNIKTHt5U9LJn82c3EsPpUt5kE6ZILTHQkgq+6fyiJeiMSU6
GadE0S8aY/zECqTAtAT0/DSvycBzCTf3rOu66fnog4wGyEqv/ZSv7NOElTLm42kn
OFF2e+wAJdcPcxwLdKTngrwGyOYUeXbBNw7cslE8DqasxiNe6K0OiJL7bvQTQhGi
BCPbz3a4DBnzvoMu1DzGtBlxDOSbVQ==
=Cozp
-----END PGP SIGNATURE-----
TimW
Mar 5, 2018, 11:30:16 PM3/5/18
to qubes-devel
Reply all
Reply to author
Forward
0 new messages