snapcraft part sources are not verified for authenticity

Bug #1626632 reported by Chad Miller
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snapcraft
Triaged
Undecided
Unassigned

Bug Description

As we well know in the world of Ubuntu/Debian, critical resources are often served over unauthenticated, unencrypted streams, and later verified with cryptographic signatures. That we do this our only justification for continuing to use cleartext protocols like HTTP to serve images and such. We think it's important and obvious.

snapcraft does not check if a downloaded source is verified before using that source and obscuring its contents.

I think almost every source type could be verified.

Example:

    plugin: autotools
    source: https://www.torproject.org/dist/tor-0.2.8.7.tar.gz
    source-signer-keys: [ 0x28988BF5, 0x19F78451, 0x165733EA, 0x8D29319A ]

For a zipfiles or tarballs, the steps are obvious. Also download source + ".asc". Check if it's signed with any of the keys whose IDs are in the signers list and that the signature matches content.
"gpg --verify sourcefile.asc sourcefile"

For bzr and git, verify that the most recent commit is signed with any such key.

For PPAs, verify that they are signed with keys (perhaps already handled by APT).

That leaves hg and svn, which I don't know enough about, and local, which doesn't make sense.

(Incidentally, print warnings to discourage listing 32-bit ids like example uses. They're too weak.)

Chad Miller (cmiller)
description: updated
Revision history for this message
Sergio Schvezov (sergiusens) wrote :

Sounds good.

Changed in snapcraft:
status: New → Triaged
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Any chance of anything happening here? :)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.