NetBSD Problem Report #56015
From jschauma@netmeister.org Tue Feb 23 16:41:52 2021
Return-Path: <jschauma@netmeister.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 827EC1A921F
for <gnats-bugs@gnats.NetBSD.org>; Tue, 23 Feb 2021 16:41:52 +0000 (UTC)
Message-Id: <20210223164149.482978561C@panix.netmeister.org>
Date: Tue, 23 Feb 2021 11:41:49 -0500 (EST)
From: jschauma@netmeister.org
Reply-To: jschauma@netmeister.org
To: gnats-bugs@NetBSD.org
Subject: 'pkg_admin audit -s' allows signature from unvalidated key
X-Send-Pr-Version: 3.95
>Number: 56015
>Category: pkg
>Synopsis: 'pkg_admin audit -s' allows signature from unvalidated key
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Feb 23 16:45:00 +0000 2021
>Originator: Jan Schaumann
>Release: NetBSD 8.0
>Organization:
>Environment:
System: NetBSD panix.netmeister.org 8.0 NetBSD 8.0 (PANIX-VC) #0: Fri May 3 16:47:37 EDT 2019 root@juggler.panix.com:/misc/obj64/misc/devel/netbsd/8.0/src/sys/arch/amd64/compile/PANIX-VC amd64
Architecture: x86_64
Machine: amd64
>Description:
When running 'pkg_admin audit -s', merely having imported the pkgsrc-security@ key
appears to be sufficient for validation. That is, even though the key is not validated,
'pkg_admin audit' will accept the signature.
Now this can be interpreted to be correct in that validation of the signature
does correctly take place, but from a trust perspective, it seems surprising
that a signature from an unvalidated key is accepted.
For example:
$ gzip -d -c /var/db/pkg/pkg-vulnerabilities | gpg --verify
gpg: Signature made Tue Feb 23 11:51:37 2021 UTC using RSA key ID 3A3A469E
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security@pkgsrc.org>"
gpg: aka "pkgsrc Security Team <pkgsrc-security@NetBSD.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FD70 3B89 644C 8B64 0DE9 4281 1F59 1DA3 3A3A 469E
$ echo $0
0
This shows that the signature is valid, but also gives us a warning that
the key is not verified.
Ideally, 'pkg_admin audit' would require the key to be validated (i.e.,
gpg was able to build a trustpath to a fully trusted key from the signatures
on the key) or at least show a warning like gpg does above.
After all, a signature being valid does not provide any security guarantees
beyond integrity without assurance of authenticity.
>How-To-Repeat:
pkg_admin audit -s
>Fix:
Perhaps an additional flag that mandates a validated key in addition to a valid
signature? That way, 'pkg_admin audit -s' would retain the current behavior,
but people seeking full validation could run 'pkg_admin audit -sv' or something
like that.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.