click packages rely upon tls for integrity and authenticity
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical System Image |
Fix Released
|
High
|
John McAleely | ||
Software Center Agent |
Fix Released
|
Undecided
|
Ricardo Kirkner | ||
click (Ubuntu) |
Fix Released
|
High
|
Michael Vogt | ||
ubuntu-download-manager (Ubuntu) |
Fix Released
|
Critical
|
Manuel de la Peña | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
ubuntu-system-settings (Ubuntu) |
Fix Released
|
Critical
|
Manuel de la Peña | ||
unity-scope-click (Ubuntu) |
Fix Released
|
High
|
Alejandro J. Cura |
Bug Description
Hello, I just completed a quick review of the click source and the unity-scope-click source and behaviours, and found some opportunities for improvement.
Debian, and Ubuntu, rely upon signed repository files with cryptographic hashes of packages to provide both integrity and authenticity checks for the packages hosted on that repository.
The click framework and the unity-scope-click discovery and installation tool do not use signed repository files, nor do they have signatures of any sort on downloaded packages. The only integrity and authenticity checks are provided by the use of HTTPS. The click verify command will check files within the archive against MD5sums stored inside the archive but the click verify command is not used during package installation. (This is suitable for validating integrity against accidental changes only.)
While it appears that unity-scope-click properly uses HTTPS to download package metadata and packages, HTTPS alone is insufficient for our needs:
- Someone in a position to create new certificates at any of several hundred certificate authorities could create certificates purporting to be our update servers. This actual problem has been discovered in the wild with several certificate authorities issuing wild-card certificates or even certificates with signing authority.
- X.509 is extremely complicated; TLS is extremely complicated. Flaws in both are inevitable.
- HTTPS prevents the use of caching.
- HTTPS only 'works' for data-in-motion; it is useless for data-at-rest integrity and authenticity checks.
I have not yet reviewed the tools that application authors will use to upload their packages to our distribution servers but note in passing that most of these issues are also issues for adding packages to our update servers -- packages in flight within our network can be corrupted for many reasons, packages on disk can be corrupted for many reasons. A signature mechanism can protect against internal network faults, storage faults, and provide assurance months or years later that an uploaded package was uploaded by someone in control of a corresponding private key.
Thanks
Related branches
- PS Jenkins bot (community): Approve (continuous-integration)
- Colin Watson: Approve
-
Diff: 566 lines (+438/-6)7 files modifiedclick/commands/install.py (+6/-1)
click/commands/verify.py (+6/-1)
click/install.py (+52/-1)
click/tests/test_install.py (+23/-0)
debian/tests/control (+1/-1)
tests/integration/test_signatures.py (+346/-0)
tests/integration/test_verify.py (+4/-2)
- Paweł Stołowski (community): Approve
- dobey (community): Approve
- PS Jenkins bot (community): Approve (continuous-integration)
- Alejandro J. Cura (community): Abstain
-
Diff: 686 lines (+217/-54)18 files modifiedlibclickscope/click/download-manager.cpp (+11/-10)
libclickscope/click/download-manager.h (+3/-3)
libclickscope/click/package.cpp (+5/-0)
libclickscope/click/package.h (+2/-0)
libclickscope/click/preview.cpp (+37/-13)
libclickscope/click/preview.h (+23/-10)
libclickscope/tests/fake_json.cpp (+1/-0)
libclickscope/tests/test_download_manager.cpp (+3/-2)
libclickscope/tests/test_index.cpp (+2/-0)
libclickscope/tests/test_preview.cpp (+39/-0)
scope/clickapps/apps-query.h (+0/-1)
scope/clickapps/apps-scope.cpp (+3/-1)
scope/clickstore/store-query.h (+0/-1)
scope/clickstore/store-scope.cpp (+7/-1)
scope/tests/CMakeLists.txt (+1/-0)
scope/tests/download_manager_tool/download_manager_tool.cpp (+10/-10)
scope/tests/download_manager_tool/download_manager_tool.h (+2/-2)
scope/tests/test_store_scope.cpp (+68/-0)
- PS Jenkins bot: Approve (continuous-integration)
- Sebastien Bacher (community): Needs Information
-
Diff: 243 lines (+82/-8)8 files modifiedplugins/system-update/PageComponent.qml (+7/-5)
plugins/system-update/download_tracker.cpp (+2/-1)
plugins/system-update/download_tracker.h (+5/-1)
plugins/system-update/network/network.cpp (+2/-0)
plugins/system-update/update.cpp (+1/-0)
plugins/system-update/update.h (+5/-0)
plugins/system-update/update_manager.cpp (+0/-1)
tests/autopilot/ubuntu_system_settings/utils/mock_update_click_server.py (+60/-0)
- PS Jenkins bot: Approve (continuous-integration)
- Ubuntu Touch System Settings: Pending requested
-
Diff: 229 lines (+79/-6)7 files modifiedplugins/system-update/PageComponent.qml (+1/-0)
plugins/system-update/download_tracker.cpp (+5/-5)
plugins/system-update/download_tracker.h (+5/-1)
plugins/system-update/network/network.cpp (+2/-0)
plugins/system-update/update.cpp (+1/-0)
plugins/system-update/update.h (+5/-0)
tests/autopilot/ubuntu_system_settings/utils/mock_update_click_server.py (+60/-0)
- Sebastien Bacher (community): Approve
- PS Jenkins bot: Approve (continuous-integration)
-
Diff: 224 lines (+77/-5)7 files modifiedplugins/system-update/PageComponent.qml (+1/-0)
plugins/system-update/download_tracker.cpp (+3/-4)
plugins/system-update/download_tracker.h (+5/-1)
plugins/system-update/network/network.cpp (+2/-0)
plugins/system-update/update.cpp (+1/-0)
plugins/system-update/update.h (+5/-0)
tests/autopilot/ubuntu_system_settings/utils/mock_update_click_server.py (+60/-0)
- Alfonso Sanchez-Beato: Approve
- PS Jenkins bot: Approve (continuous-integration)
- Ricardo Salveti (community): Needs Information
-
Diff: 2471 lines (+762/-264)63 files modifiedCMakeLists.txt (+2/-2)
debian/changelog (+6/-0)
debian/control (+24/-24)
debian/libubuntu-download-manager-client1.install (+1/-1)
debian/libubuntu-download-manager-client1.symbols (+17/-1)
debian/libubuntu-download-manager-common1.install (+1/-1)
debian/libubuntu-download-manager-common1.symbols (+1/-1)
debian/libubuntu-upload-manager-common1.install (+1/-1)
debian/libubuntu-upload-manager-common1.symbols (+1/-1)
debian/libudm-common-dev.install (+1/-0)
debian/libudm-common1.install (+1/-1)
debian/libudm-common1.symbols (+29/-17)
debian/libudm-priv-common1.install (+1/-1)
docs/dbus/com.canonical.applications.download.xml (+5/-0)
docs/dbus/com.canonical.applications.testing.download_manager.xml (+7/-0)
src/common/public/CMakeLists.txt (+2/-0)
src/common/public/ubuntu/transfers/errors/auth_error_struct.cpp (+6/-5)
src/common/public/ubuntu/transfers/errors/auth_error_struct.h (+9/-12)
src/common/public/ubuntu/transfers/errors/hash_error_struct.cpp (+96/-0)
src/common/public/ubuntu/transfers/errors/hash_error_struct.h (+122/-0)
src/common/public/ubuntu/transfers/errors/http_error_struct.cpp (+2/-2)
src/common/public/ubuntu/transfers/errors/http_error_struct.h (+3/-5)
src/common/public/ubuntu/transfers/errors/network_error_struct.cpp (+2/-2)
src/common/public/ubuntu/transfers/errors/network_error_struct.h (+3/-6)
src/common/public/ubuntu/transfers/errors/process_error_struct.cpp (+7/-7)
src/common/public/ubuntu/transfers/errors/process_error_struct.h (+8/-11)
src/downloads/client/symbols.map (+6/-0)
src/downloads/client/ubuntu/download_manager/download_impl.cpp (+14/-1)
src/downloads/client/ubuntu/download_manager/download_impl.h (+3/-4)
src/downloads/client/ubuntu/download_manager/download_interface.cpp (+1/-1)
src/downloads/client/ubuntu/download_manager/download_interface.h (+2/-1)
src/downloads/client/ubuntu/download_manager/error.cpp (+88/-22)
src/downloads/client/ubuntu/download_manager/error.h (+71/-6)
src/downloads/client/ubuntu/download_manager/manager_impl.cpp (+3/-1)
src/downloads/common/ubuntu/download_manager/metatypes.h (+4/-4)
src/downloads/priv/ubuntu/downloads/download_adaptor.h (+5/-0)
src/downloads/priv/ubuntu/downloads/file_download.cpp (+2/-1)
src/downloads/priv/ubuntu/downloads/file_download.h (+2/-1)
src/downloads/priv/ubuntu/downloads/manager.cpp (+1/-0)
src/downloads/test-daemon/testing_daemon.cpp (+12/-1)
src/downloads/test-daemon/testing_daemon.h (+3/-4)
src/downloads/test-daemon/testing_file_download.cpp (+17/-1)
src/downloads/test-daemon/testing_file_download.h (+5/-4)
src/downloads/test-daemon/testing_interface.cpp (+1/-1)
src/downloads/test-daemon/testing_interface.h (+8/-1)
src/downloads/test-daemon/testing_manager.cpp (+12/-3)
src/downloads/test-daemon/testing_manager.h (+3/-4)
src/downloads/test-daemon/testing_manager_adaptor.cpp (+9/-1)
src/downloads/test-daemon/testing_manager_adaptor.h (+7/-1)
src/downloads/test-daemon/ubuntu-download-manager-test-daemon.pro.THIS (+0/-44)
tests/common/daemon_testcase.cpp (+26/-3)
tests/common/daemon_testcase.h (+3/-4)
tests/common/testing_interface.cpp (+1/-1)
tests/common/testing_interface.h (+8/-1)
tests/downloads/client/CMakeLists.txt (+7/-6)
tests/downloads/client/test_client_download.cpp (+37/-1)
tests/downloads/client/test_client_download.h (+4/-4)
tests/downloads/client/test_client_manager.cpp (+1/-1)
tests/downloads/client/test_group_manager_watch.h (+3/-5)
tests/downloads/daemon/CMakeLists.txt (+2/-1)
tests/downloads/daemon/test_download.cpp (+3/-1)
tests/downloads/daemon/test_final_state.cpp (+0/-4)
tests/downloads/qml/CMakeLists.txt (+30/-24)
- PS Jenkins bot: Approve (continuous-integration)
- Ubuntu Phablet Team: Pending requested
- Diff: 0 lines
Changed in click-package-index: | |
assignee: | nobody → Ricardo Kirkner (ricardokirkner) |
Changed in unity-scope-click (Ubuntu): | |
assignee: | nobody → Alejandro J. Cura (alecu) |
affects: | click-package-index → software-center-agent |
tags: | added: updates |
Changed in click (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → High |
Changed in ubuntu-system-settings (Ubuntu): | |
assignee: | nobody → Diego Sarmentero (diegosarmentero) |
importance: | Undecided → High |
status: | New → Triaged |
tags: | added: rtm14 |
Changed in unity-scope-click (Ubuntu): | |
importance: | Undecided → High |
Changed in click-package-index: | |
assignee: | nobody → James Tait (jamestait) |
Changed in click-package-index: | |
status: | New → Fix Committed |
Changed in click-package-index: | |
assignee: | James Tait (jamestait) → nobody |
Changed in software-center-agent: | |
status: | New → In Progress |
Changed in software-center-agent: | |
status: | In Progress → Fix Committed |
Changed in click (Ubuntu): | |
assignee: | nobody → Michael Vogt (mvo) |
Changed in unity-scope-click (Ubuntu): | |
status: | New → In Progress |
Changed in software-center-agent: | |
status: | Fix Committed → Fix Released |
Changed in click-package-index: | |
status: | Fix Committed → Fix Released |
Changed in unity-scope-click (Ubuntu): | |
status: | In Progress → Fix Committed |
tags: | added: touch-2014-10-09 |
Changed in ubuntu-system-settings (Ubuntu): | |
status: | Triaged → In Progress |
tags: |
added: touch-2014-10-16 removed: touch-2014-10-09 |
tags: |
added: touch-2014-10-23 removed: touch-2014-10-16 |
tags: |
added: ota-1 removed: touch-2014-10-23 |
no longer affects: | unity-scope-click |
Changed in ubuntu-system-settings (Ubuntu): | |
assignee: | Diego Sarmentero (diegosarmentero) → Sebastien Bacher (seb128) |
Changed in ubuntu-system-settings (Ubuntu): | |
assignee: | Sebastien Bacher (seb128) → nobody |
Changed in ubuntu-system-settings (Ubuntu): | |
assignee: | nobody → Ken VanDine (ken-vandine) |
Changed in canonical-devices-system-image: | |
assignee: | nobody → Canonical Devices Products (canonical-devices-products-team) |
importance: | Undecided → High |
milestone: | none → r1 |
status: | New → Confirmed |
Changed in ubuntu-system-settings (Ubuntu): | |
status: | In Progress → New |
status: | New → Confirmed |
assignee: | Ken VanDine (ken-vandine) → peterstan (stasnel) |
Changed in ubuntu-system-settings (Ubuntu): | |
assignee: | Sebastien Bacher (seb128) → Manuel de la Peña (mandel) |
Changed in ubuntu-system-settings (Ubuntu RTM): | |
status: | New → Confirmed |
importance: | Undecided → Critical |
assignee: | nobody → Manuel de la Peña (mandel) |
Changed in canonical-devices-system-image: | |
status: | Confirmed → In Progress |
milestone: | ww05-2015 → ww07-2015 |
Changed in canonical-devices-system-image: | |
assignee: | Canonical Devices Products (canonical-devices-products-team) → Bill Filler (bfiller) |
milestone: | ww07-2015 → ww09-2015 |
Changed in ubuntu-download-manager (Ubuntu RTM): | |
importance: | Undecided → Critical |
Changed in ubuntu-download-manager (Ubuntu): | |
importance: | Undecided → Critical |
Changed in ubuntu-download-manager (Ubuntu RTM): | |
status: | New → Confirmed |
Changed in ubuntu-download-manager (Ubuntu): | |
status: | New → Confirmed |
assignee: | nobody → Manuel de la Peña (mandel) |
Changed in ubuntu-download-manager (Ubuntu RTM): | |
assignee: | nobody → Manuel de la Peña (mandel) |
Changed in canonical-devices-system-image: | |
milestone: | ww09-2015 → ww11-2015 |
Changed in canonical-devices-system-image: | |
milestone: | ww11-2015 → ww13-2015 |
no longer affects: | ubuntu-download-manager (Ubuntu RTM) |
no longer affects: | ubuntu-system-settings (Ubuntu RTM) |
Changed in canonical-devices-system-image: | |
assignee: | Bill Filler (bfiller) → Ricardo Salveti (rsalveti) |
milestone: | ww13-2015 → ww17-2015 |
Changed in canonical-devices-system-image: | |
assignee: | Ricardo Salveti (rsalveti) → Canonical Phone Foundations (canonical-phonedations-team) |
Changed in canonical-devices-system-image: | |
milestone: | ww17-2015 → ww21-2015 |
Changed in canonical-devices-system-image: | |
assignee: | Canonical Phone Foundations (canonical-phonedations-team) → John McAleely (john.mcaleely) |
milestone: | ww21-2015 → ww26-2015 |
Changed in canonical-devices-system-image: | |
status: | In Progress → Fix Committed |
Changed in canonical-devices-system-image: | |
status: | Fix Committed → Fix Released |
Changed in ubuntu-system-settings (Ubuntu): | |
status: | In Progress → Fix Released |
summary: |
- click packages rely upon tls for integrity and authenticity + Indications of Anxiety Disorder and Depression |
description: | updated |
summary: |
- Indications of Anxiety Disorder and Depression + click packages rely upon tls for integrity and authenticity |
description: | updated |
Changed in ubuntu-download-manager (Ubuntu Vivid): | |
status: | New → Won't Fix |
Have we already defined what specific signature mechanism we want/need to implement server side? As far as I understand this we'll need the following
1. Upon upload of the click package, we compute a signature for it (what type of signature?)
2. We expose the computed signature somewhere public so that the click installer can compare it with it's own computation before installing the package.
Please add any particular specifics we should consider when implementing this.