Charms are not sufficiently tamper proof
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyjuju |
Triaged
|
Low
|
Unassigned |
Bug Description
The charm store security model relies a lot on transport level authentication.
~charmer member ---ssh+
launchpad-
charm store--
Through all of this, the code that runs as root (the charm hooks) is authenticated to come from the immediate partner in the link. So launchpad trusts the ssh key to specify that the member is part of ~charmers and writes to it. Then the charm store trusts launchpad that the charm si the one that the member/team owned. Then the agent trusts the charm store that the charm it is downloading is original ~charmers member owned charm.
But if any of the parties in that chain tamper with the payload, there is no way to detect that.
GPG signatures on the charm content should be required to transfer things in to the charm store, and these signatures should be verified by each receiving party, so that none of them can be fooled by any one member of the chain.
Changed in juju: | |
importance: | Undecided → Low |
status: | New → Triaged |