snapcraft part sources are not verified for authenticity

Bug #1626632 reported by Chad Miller on 2016-09-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snapcraft
Undecided
Unassigned

Bug Description

As we well know in the world of Ubuntu/Debian, critical resources are often served over unauthenticated, unencrypted streams, and later verified with cryptographic signatures. That we do this our only justification for continuing to use cleartext protocols like HTTP to serve images and such. We think it's important and obvious.

snapcraft does not check if a downloaded source is verified before using that source and obscuring its contents.

I think almost every source type could be verified.

Example:

    plugin: autotools
    source: https://www.torproject.org/dist/tor-0.2.8.7.tar.gz
    source-signer-keys: [ 0x28988BF5, 0x19F78451, 0x165733EA, 0x8D29319A ]

For a zipfiles or tarballs, the steps are obvious. Also download source + ".asc". Check if it's signed with any of the keys whose IDs are in the signers list and that the signature matches content.
"gpg --verify sourcefile.asc sourcefile"

For bzr and git, verify that the most recent commit is signed with any such key.

For PPAs, verify that they are signed with keys (perhaps already handled by APT).

That leaves hg and svn, which I don't know enough about, and local, which doesn't make sense.

(Incidentally, print warnings to discourage listing 32-bit ids like example uses. They're too weak.)

Chad Miller (cmiller) on 2016-09-22
description: updated
Sergio Schvezov (sergiusens) wrote :

Sounds good.

Changed in snapcraft:
status: New → Triaged
Michael Hudson-Doyle (mwhudson) wrote :

Any chance of anything happening here? :)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers