Ubuntu
npth package

  1. Bug #1536871
  2. Comment #18

Comment 18 for bug 1536871

Revision history for this message
Richard Hughes (richard-hughes) wrote :

Yes, also further to Mario's comment (you do need to restart the daemon) you also need to clear the persistent gpg2 keyring. I perhaps wasn't clear we also using the persistent keyring store -- using commit https://github.com/hughsie/fwupd/commit/e4141f4f234d258424020069dadf8df39848a119 I see (using the defaults):

11:14:53 importing key 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2 [0] Success
11:14:53 Using signature fingerprint 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2

And then, if I replace the LVFS key in fwupd-metadata with another (e.g. RPM-GPG-KEY-rpmfusion-nonfree-fedora-25) and restart the daemon:

11:21:24 Adding public key /etc/pki/fwupd-metadata/RPM-GPG-KEY-rpmfusion-nonfree-fedora-25
11:21:24 importing key DD7525B6184B0512AA8CB1002E59159B96CA6280 [0] Success
11:21:24 Using signature fingerprint 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2

So it is somewhat confusing that we're still using the "removed" LVFS key for verification success. I suppose it's a bug we're using the default persistent store (of root), which I supposed could be fixed using gpgme_ctx_set_engine_info() and setting the homedir to something like /usr/lib/fwupd -- although this might not be expected if you want to just import a key as a root user and then expect it just to work with fwupd.

So, certainly not a CVE, but somewhat non-obvious. I'd be open to changing the keyring to be fwupd-specific (and adding docs) if this would make things more obvious, although I'd have to check with the Red Hat security team again before doing so.

As for changing /tmp/firmware.xml.gz.asc I'm not exactly sure what you mean; there is of course no inotify watch there. We download the files and then open them, sending the file descriptors to the daemon rather than as a filename or data blob. The download check is being done on the large firmware files themselves, using the data from the metadata, so I'm a little confused what you're trying to do. If you want to test corrupting the metadata or signing files the best way to do this would be to edit fu-util.c and modify the data before it gets squirted to the daemon as a pair of file descriptors.