any source package signature is not valid

Bug #1649097 reported by Vyacheslav
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

In short:

The GPG key 105BE7F7, with that 'linux' source package is signed, revoked on 08/16/16 (4 months ago!)

How to reproduce:

$ apt-get source linux-image-$(uname -r)
...
Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic'
...
Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 4.4.0-53.74 (tar) [133 MB]
...
gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc
...

### if you add this key:

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7
$ apt-key list
...
pub 4096R/105BE7F7 2011-09-06
uid Brad Figg <email address hidden>
sub 4096R/F336E4D5 2011-09-06

pub 4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16]
uid Brad Figg <email address hidden>

### THE KEY IS REVOKED 4 MONTHS AGO!

### Additional info:
$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04

### My unmodified /etc/apt/sources.list in attachment.
### Note, /etc/apt/sources.list.d/ directory is empty.

Revision history for this message
Vyacheslav (slavanap) wrote :
Vyacheslav (slavanap)
affects: xubuntu-meta (Ubuntu) → ubuntu
information type: Private Security → Public Security
affects: ubuntu → apt (Ubuntu)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for the bug report.

This isn't as dire as it looks:

APT's security model is based on signed InRelease files that have sha256sums of all archive contents. In this case, the InRelease file will have a sha256sum for one of the Sources files, and that file will have a sha256sum for the linux source package files:

Checksums-Sha256:
 5c1141401c8f3468b2d5f71906aea181a8f7c9e195c4cc3252a085962bbf4f4d 9611 linux_4.4.0-53.74.dsc
 730e75919b5d30a9bc934ccb300eaedfdf44994ca9ee1d07a46901c46c221357 132860730 linux_4.4.0.orig.tar.gz
 5ad7a47f2bcb66858f26fb539e39e07724c676a8eca84239c850fa87c2900b0e 12162206 linux_4.4.0-53.74.diff.gz

If these sha256sums don't match what was downloaded, apt itself would throw an error.

All these files are in /var/lib/apt/lists/ .

The .dsc file is signed by whoever uploads the package for building to our buildfarm. Developers' keys change all the time. It's still useful to have the .dsc file to see what the builders saw, regardless if the signature on the file is from an expired key or not.

Now, where things get really interesting: You've used a 32 bit keyid to download the key from the keyservers. 32 bit keyids are not safe to use in this manner because it's relatively simple to generate keys with colliding 32 bit keyids. This was done for all keys in the 'strongly connected set' a few years ago, including Brad's key. When someone uploaded all these keys to the SKS keyservers, it was insanely confusing. So, the group that generated all the colliding keys generated revocation certificates for all the keys and uploaded them all, to kill them.

So, your command to download the key by 32 bit keyid downloaded _two_ keys -- Brad's real key, "11D6 ADA3 D9E8 3D93 ACBD 837F 0C7B 589B 105B E7F7", is not revoked:

$ gpg --check-sigs "11D6 ADA3 D9E8 3D93 ACBD 837F 0C7B 589B 105B E7F7"
pub 4096R/0C7B589B105BE7F7 2011-09-06
uid Brad Figg <email address hidden>
sig! 052F367018D5C3D8 2012-01-09 John Johansen <email address hidden>
sig! 5759F35001AA4A64 2011-12-10 Steve Langasek <email address hidden>
sig! 3D76C845FA1447CA 2011-09-06 Tim Gardner (4K key) <email address hidden>
sig! 8972F4DFDC6DC026 2011-12-09 Kees Cook <email address hidden>
sig! 2F099E8D005E81F4 2011-12-09 Steve Beattie <email address hidden>
sig-3 0C7B589B105BE7F7 2011-09-06 Brad Figg <email address hidden>
sig!3 0C7B589B105BE7F7 2011-09-06 Brad Figg <email address hidden>
sub 4096R/E79D7BDFF336E4D5 2011-09-06
sig! 0C7B589B105BE7F7 2011-09-06 Brad Figg <email address hidden>

1 bad signature
14 signatures not checked due to missing keys

My output may look different from yours because I added this to my ~/.gnupg/gpg.conf file:

keyid-format long

For more information, see https://evil32.com/

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Julian, do you have any ideas how this could be handled better? I'm short on ideas here. The gpgv output seems useful but it's also potentially misleading.

Thanks

Revision history for this message
Vyacheslav (slavanap) wrote :

Reality check:
that means that all source packages received via 'apt-get source' are not trusted by Ubuntu clean installation ?

Is there a safe way to get full public key (not short unsafe keyid) for a source package then?

Thanks

summary: - 'linux' source package signature is not valid
+ any source package signature is not valid
Revision history for this message
Julian Andres Klode (juliank) wrote :

APT does not care about those keys. dpkg verifies them while unpacking and gpgv here just prints a short key id instead of a fingerprint (long id is broken as well).

The only thing we could do is disable the gpg signature check in dpkg-source when APT calls it for a secure package (that is, pass --no-check to dpkg-source).

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Vyacheslav, as long as your APT is properly configured, sources downloaded with apt-get source are trusted via the same mechanism used for binary packages.

If you attempt to download modified contents you'll get error messages like this:

$ apt-get source dash
Reading package lists... Done
NOTICE: 'dash' packaging is maintained in the 'Git' version control system at:
http://smarden.org/git/dash.git/
Please use:
git clone http://smarden.org/git/dash.git/
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 299 kB of source archives.
Get:1 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (dsc) [1,882 B]
Get:2 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (tar) [223 kB]
Get:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff) [73.8 kB]
Err:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff)
  Hash Sum mismatch
Fetched 299 kB in 0s (10.4 MB/s)
E: Failed to fetch http://mirrors.kernel.org/ubuntu/pool/main/d/dash/dash_0.5.8-2.3ubuntu1.diff.gz Hash Sum mismatch

E: Failed to fetch some archives.

If you want to additionally verify the signature in the .dsc file for whichever developer uploaded the package to the build servers, you can do so:

sarnold@hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc
gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT
gpg: using RSA key BD7EAA60778FA6F5
gpg: Can't check signature: public key not found
sarnold@hunt:/tmp$ gpg --recv-key BD7EAA60778FA6F5
gpg: requesting key BD7EAA60778FA6F5 from hkp server keys.gnupg.net
gpg: key BD7EAA60778FA6F5: public key "Matthias Klose <email address hidden>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 24 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 24 signed: 19 trust: 20-, 0q, 0n, 4m, 0f, 0u
gpg: next trustdb check due at 2016-12-31
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
sarnold@hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc
gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT
gpg: using RSA key BD7EAA60778FA6F5
gpg: Good signature from "Matthias Klose <email address hidden>"
gpg: aka "Matthias Klose <email address hidden>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D565 71B8 8A8B BAF1 40BF 63D6 BD7E AA60 778F A6F5
sarnold@hunt:/tmp$

Thanks

Revision history for this message
Vyacheslav (slavanap) wrote :

Arnold, do you mean, that source packages are cross-signed with official Ubuntu key that are already in `apt-key list` after Ubuntu installation? I understand that if 'Hash sum' check fails I get this kind of error message, but what about, for instance, spoofing ubuntu.com domain by my Internet provider and writing correct hash sum for modified contents into .dsc file?

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Vyacheslav, if the .dsc file is modified in transit or by a malicious server, apt-get download will discard it.

Don't forget, we publish a gigantic list of 'spoofed' ubuntu.com domains and encourage people to use local ones if they are faster than our network connection :) https://launchpad.net/ubuntu/+archivemirrors

Thanks

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I am closing this bug report as there is no actionable item.

As mentioned above, source packages are verified using the Ubuntu archive key, not by using the developer's signature.

Changed in apt (Ubuntu):
status: New → Invalid
Revision history for this message
Julian Andres Klode (juliank) wrote :

We actually fixed this in 1.4~beta3 (zesty, artful):

apt (1.4~beta3) unstable; urgency=medium

  [ David Kalnischkies ]
  * default to --no-check for dpkg-source call (Closes: 724744)

Changed in apt (Ubuntu):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.