| 2016-09-22 16:04:55 |
Chad Miller |
description |
As we well know in the world of Ubuntu/Debian, critical resources are often served over unauthenticated, unencrypted streams, and later verified with cryptographic signatures. That we do this our only justification for continuing to use cleartext protocols like HTTP to serve images and such. We think it's important and obvious.
snapcraft does not check if a downloaded source is verified before using that source and obscuring its contents.
I think almost every source type could be verified.
Example:
plugin: autotools
source: https://www.torproject.org/dist/tor-0.2.8.7.tar.gz
source-signer-keys: [ 0x28988BF5, 0x19F78451, 0x165733EA, 0x8D29319A ]
For a zipfiles or tarballs, the steps are obvious. Also download source + ".asc". Check if it's signed with any of the keys whose IDs are in the signers list.
For bzr and git, verify that the most recent commit is signed with any such key.
For PPAs, verify that they are signed with keys (perhaps already handled by APT).
That leaves hg and svn, which I don't know enough about, and local, which doesn't make sense.
(Incidentally, print warnings to discourage listing 32-bit ids like example uses. They're too weak.) |
As we well know in the world of Ubuntu/Debian, critical resources are often served over unauthenticated, unencrypted streams, and later verified with cryptographic signatures. That we do this our only justification for continuing to use cleartext protocols like HTTP to serve images and such. We think it's important and obvious.
snapcraft does not check if a downloaded source is verified before using that source and obscuring its contents.
I think almost every source type could be verified.
Example:
plugin: autotools
source: https://www.torproject.org/dist/tor-0.2.8.7.tar.gz
source-signer-keys: [ 0x28988BF5, 0x19F78451, 0x165733EA, 0x8D29319A ]
For a zipfiles or tarballs, the steps are obvious. Also download source + ".asc". Check if it's signed with any of the keys whose IDs are in the signers list and that the signature matches content.
"gpg --verify sourcefile.asc sourcefile"
For bzr and git, verify that the most recent commit is signed with any such key.
For PPAs, verify that they are signed with keys (perhaps already handled by APT).
That leaves hg and svn, which I don't know enough about, and local, which doesn't make sense.
(Incidentally, print warnings to discourage listing 32-bit ids like example uses. They're too weak.) |
|
