[pacman-dev] More thought about signature implementation

Allan McRae allan at archlinux.org
Fri Jun 18 23:08:00 EDT 2010 

On 19/06/10 03:45, Denis A. Altoé Falqueto wrote:
> Hi guys. One more of those long boring emails... sorry.
>
> See this situation: let's say we sign packages and the repo.db and the
> signatures are all dettached, in the same directory as their
> corresponding files. If some cracker breaks into the machine and
> deletes the signatures, pacman will not be able to know if the
> packages and repo.db were signed or not. So, it would be necessary to
> have some way to indicate that a repository is signed or not and this
> information must be kept in such a way that an intruder can't change.

The signatures are currently placed in the repo-db.   So only the repo 
db needs downloaded and not individual signatures.   If an attacker 
deletes the repo database and its signature, that is probably the least 
of our issues...    There will be many copies of a recent signed 
database that we can recover all the signatures from.

> Another factor to consider is that the signature verification should
> be optional for each system. I mean, if a user doesn't care about
> signatures, he should be able to say "pacman, I can't care less about
> signatures, please". So, I believe that the best place for such
> information should be in the pacman.conf file, in each repository
> section. Maybe one cares about signature in one repository but not for
> another. And we would spread the attack surface for the entire user
> base, instead of concentrating it only on the server or mirrors.

I thought that this was already implemented.


> For the repository update, it would be like this:
>
> 1. for each repository
>    1.1. download the repo.db
>    1.2. if it is signed

(and signature checking is enabled for that repo)

>      1.2.1. download the signature
>      1.2.2. check the signature
>    1.3. extract the db to its right place, as today
 >
> For the package verification, it would be like this:
>
> 1. downloads the package
> 2. if the signature is enabled for the repository
>    2.1. if the package is signed (this information must come from repo.db)
>      2.1.1. download the signature for the package

No need for that step. The signature is in repo.db

>      2.1.2. checks the signature
>
> For installation of local packages, I am not very worried about
> signatures. It could be optional, indicated via parameter.

Agreed.

> Well, I think that to store the new information, we'll have to break
> the ABI, isn't it? Sorry to say this just a few days after the new
> release... Maybe we could have put some new fields to future use.

Breaking API happens every major release.  It is nothing to be very 
concerned about.

Allan

More information about the pacman-dev mailing list