NetBSD Problem Report #56015

From jschauma@netmeister.org  Tue Feb 23 16:41:52 2021
Return-Path: <jschauma@netmeister.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 827EC1A921F
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 23 Feb 2021 16:41:52 +0000 (UTC)
Message-Id: <20210223164149.482978561C@panix.netmeister.org>
Date: Tue, 23 Feb 2021 11:41:49 -0500 (EST)
From: jschauma@netmeister.org
Reply-To: jschauma@netmeister.org
To: gnats-bugs@NetBSD.org
Subject: 'pkg_admin audit -s' allows signature from unvalidated key
X-Send-Pr-Version: 3.95

>Number:         56015
>Category:       pkg
>Synopsis:       'pkg_admin audit -s' allows signature from unvalidated key
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 23 16:45:00 +0000 2021
>Originator:     Jan Schaumann
>Release:        NetBSD 8.0
>Organization:

>Environment:


System: NetBSD panix.netmeister.org 8.0 NetBSD 8.0 (PANIX-VC) #0: Fri May 3 16:47:37 EDT 2019 root@juggler.panix.com:/misc/obj64/misc/devel/netbsd/8.0/src/sys/arch/amd64/compile/PANIX-VC amd64
Architecture: x86_64
Machine: amd64
>Description:

When running 'pkg_admin audit -s', merely having imported the pkgsrc-security@ key
appears to be sufficient for validation.  That is, even though the key is not validated,
'pkg_admin audit' will accept the signature.

Now this can be interpreted to be correct in that validation of the signature
does correctly take place, but from a trust perspective, it seems surprising
that a signature from an unvalidated key is accepted.

For example:

$ gzip -d -c /var/db/pkg/pkg-vulnerabilities | gpg --verify
gpg: Signature made Tue Feb 23 11:51:37 2021 UTC using RSA key ID 3A3A469E
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security@pkgsrc.org>"
gpg:                 aka "pkgsrc Security Team <pkgsrc-security@NetBSD.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FD70 3B89 644C 8B64 0DE9  4281 1F59 1DA3 3A3A 469E
$ echo $0
0

This shows that the signature is valid, but also gives us a warning that
the key is not verified.

Ideally, 'pkg_admin audit' would require the key to be validated (i.e., 
gpg was able to build a trustpath to a fully trusted key from the signatures
on the key) or at least show a warning like gpg does above.

After all, a signature being valid does not provide any security guarantees
beyond integrity without assurance of authenticity.

>How-To-Repeat:

pkg_admin audit -s

>Fix:

Perhaps an additional flag that mandates a validated key in addition to a valid
signature?  That way, 'pkg_admin audit -s' would retain the current behavior,
but people seeking full validation could run 'pkg_admin audit -sv' or something
like that.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.