Marek Marczykowski-Górecki:
Similar to the Valid-Until field in Debian apt release files [and other
package managers that use similar fields]:
http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html
Well, that would be ideal, but that would also be something that the one
who provides the file and signature would have to do, i.e. upstream. So
if you wanted to do this, you could only do this for your own signatures
and could only try to convince upstream of doing it as well. Worthwhile,
sure, but unlikely to happen for every upstream.
> This is also not ideal because of manual work
> required for that.
Yes.
> But maybe worth the effort?
Definitively.
> Maybe it is enough to add
> another section in our warrant canaries (list of most recent tags on
> source code)?
Dunno. Any place works as long as it's checked during build.
> I guess 3-month isn't frequent enough...
Yes.
>>>> Having said that, do you have any other gpg verification code in other
>>>> files that I could look into?
>>>
>>> Some components downloads additional sources - like kernel, KDE, etc. There
>>> is also code to verify that downloads - just a simple gpg -v with
>>> isolated keyring (one key in most cases). That keyring isolation is
>>> provided by qubes-builder (scripts/get-sources). When upstream do not
>>> provide signatures, we have file hashes committed into the git repo.
>>> This code is in Makefiles in those repositories:
>>> - linux-kernel
>>> - desktop-linux-kde
>>> - desktop-linux-xfce
>>> - vmm-xen
>>> - core-libvirt
>
>> I see. Checked linux-kernel. Code:
>
>> @xzcat $(SRC_FILE) | gpg -q --verify $(SIGN_FILE) - 2>/dev/null
>
>> I don't think this is safe.
>
>> Quote Werner Koch (gnupg lead developer):
>>
http://lists.gnupg.org/pipermail/gnupg-devel/2005-December/022559.html
>
>> "there is no clear distinction between the codes and for proper error
>> reporting you are advised to use the --status-fd messages."
>
> AFAIR this applies mostly to verifying key validity/trust. In our case
> it shouldn't be a problem because of dedicated keyring with just the
> key(s) to verify given component.
Not sure. I specifically asked about this on gnupg-users mailing list.
'Are there cases where gpg --verify will exit 0, even if verification
failed?'
https://lists.gnupg.org/pipermail/gnupg-users/2015-January/052232.html
While I was not told any specific example as a great deterrence, my
conclusion is, that gpg exit codes are totally not to be relied on.
> But indeed it would be good idea to
> switch to either --status-fd, or gpgv (or both).
Yes.
Other options to consider (just consider, not arguing they are great,
better, whatsoever):
- gpg2
- gppv2
Another subtlety to consider, checksec.sh on Debian wheezy reports, that
gpg[v] has Partial RELRO and NO PIE vs gpg[v]2 that has FULL RELRO and PIE.
***
A related point I would like to raise is another common misconception or
unpopular fact about OpenPGP signatures. You might be aware of it, but I
would invite you to specifically think it through wtr to the Qubes file
[not git] verification code.
OpenPGP signatures do sign files. Not file names.
Names of files are not part of OpenPGP signatures. When file and
signature is renamed, the OpenPGP signature remains valid. So version
information taken from names of files is untrustworthy.
In other words, when using "gpg --armor --detach-sign
some-file-version-c" a file: some-file-version-c.asc will be created.
But an adversary position to arbitrarily change file names on a mirror
[for targeted attacks] or so could rename it to some-file-version-d and
some-file-version-d.asc. Or in other words, the adversary could have
changed the name of the files to some-file-version-d[.asc], while in
reality it was just some-file-version-c[.asc].
See also:
https://lists.gnupg.org/pipermail/gnupg-users/2015-January/052185.html
One could "use OpenPGP notations to include the legitimate names of
files to prevent file name tampering" as I suggested here in a slightly
different context:
https://trac.torproject.org/projects/tor/ticket/14187
Those OpenPGP notations are also included in status-fd.
But that's something the provider of the OpenPGP signature, i.e.
upstream would have to do.
Since convincing upstream to do this is time consuming, takes a while
until they implement it, and may not always work, I think the best that
could be done until then or as a stopgap, would be extracting the
signature creation date of the signature from status-fd and comparing it
with the expected value. (Signature creation date is part of the OpenPGP
signature and tamper resistant. [1])
Cheers,
Patrick
[1]
https://lists.gnupg.org/pipermail/gnupg-users/2013-March/046218.html