© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
So, after further discussion with Loïc it's clear that we are currently discussing two different
issues in this bug
* That the .debs included in the hwpack are not trusted by apt at hwpack-install time
* That .debs downloaded from PPAs at hwpack-install time are not trusted
The bug is clearly about the former, and it is the larger issue being the common case, but
I was confused by early discussing in the life of hwpacks about the second issue. My comments
were about addressing that, and as such should be put to one side for now.
The issue is that apt inside the chroot at hwpack-install time can't check signatures of the
file:/// repo that we create due to it not being signed.
We have an immediate choice here:
1) We could silence the warning without addressing the issue. This would mean that someone could Man In The Middle your download of the hwpack, and give you malicious content and it would be able to run code in a chroot on your host system (so able to do anything to your host), as well as in the target. This is pretty much true now, as most people won't actually checks the content. In addition, someone could MITM your image download, with one containing a malicious dpkg and get the same thing.
2) We could address the warning by signing the file:/// repo we create (or equivalently get the assurances we would need to do so and then bypass apt's checks for that repo)
I think most will agree that 2 is what we should go for here. In order to do this we need assurance of origin (we need to know that the hwpack "came from Linaro"), so we need a signature verifiable on the client against a public key we know to be controlled by Linaro.
The easiest way to do this is to sign the entire hwpack externally. We already do this (the .sha1sums.txt.asc files constitute this), so we could use that. This would mean however that users have to download those files, and then pass them to linaro-media-create to have the signature checked.
We have a proposal to do a "testdrive" script that will automate downloading the needed pieces and creating an image. That will be able to do this easily, but we haven't scheduled work on that script yet.