click packages rely upon tls for integrity and authenticity
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Canonical System Image |
High
|
John McAleely | ||
| | Click Package Index |
Undecided
|
Unassigned | ||
| | Software Center Agent |
Undecided
|
Ricardo Kirkner | ||
| | click (Ubuntu) |
High
|
Michael Vogt | ||
| | ubuntu-download-manager (Ubuntu) |
Critical
|
Manuel de la Peña | ||
| | Vivid |
Undecided
|
Unassigned | ||
| | ubuntu-system-settings (Ubuntu) |
Critical
|
Manuel de la Peña | ||
| | unity-scope-click (Ubuntu) |
High
|
Alejandro J. Cura | ||
Bug Description
Hello, I just completed a quick review of the click source and the unity-scope-click source and behaviours, and found some opportunities for improvement.
Debian, and Ubuntu, rely upon signed repository files with cryptographic hashes of packages to provide both integrity and authenticity checks for the packages hosted on that repository.
The click framework and the unity-scope-click discovery and installation tool do not use signed repository files, nor do they have signatures of any sort on downloaded packages. The only integrity and authenticity checks are provided by the use of HTTPS. The click verify command will check files within the archive against MD5sums stored inside the archive but the click verify command is not used during package installation. (This is suitable for validating integrity against accidental changes only.)
While it appears that unity-scope-click properly uses HTTPS to download package metadata and packages, HTTPS alone is insufficient for our needs:
- Someone in a position to create new certificates at any of several hundred certificate authorities could create certificates purporting to be our update servers. This actual problem has been discovered in the wild with several certificate authorities issuing wild-card certificates or even certificates with signing authority.
- X.509 is extremely complicated; TLS is extremely complicated. Flaws in both are inevitable.
- HTTPS prevents the use of caching.
- HTTPS only 'works' for data-in-motion; it is useless for data-at-rest integrity and authenticity checks.
I have not yet reviewed the tools that application authors will use to upload their packages to our distribution servers but note in passing that most of these issues are also issues for adding packages to our update servers -- packages in flight within our network can be corrupted for many reasons, packages on disk can be corrupted for many reasons. A signature mechanism can protect against internal network faults, storage faults, and provide assurance months or years later that an uploaded package was uploaded by someone in control of a corresponding private key.
Thanks
Related branches
- PS Jenkins bot (community): Approve (continuous-integration) on 2014-08-12
- Colin Watson: Approve on 2014-08-03
-
Diff: 566 lines (+438/-6)7 files modifiedclick/commands/install.py (+6/-1)
click/commands/verify.py (+6/-1)
click/install.py (+52/-1)
click/tests/test_install.py (+23/-0)
debian/tests/control (+1/-1)
tests/integration/test_signatures.py (+346/-0)
tests/integration/test_verify.py (+4/-2)
- Paweł Stołowski: Approve on 2014-08-19
- dobey (community): Approve on 2014-08-14
- PS Jenkins bot: Approve (continuous-integration) on 2014-08-13
- Alejandro J. Cura (community): Abstain on 2014-08-13
-
Diff: 686 lines (+217/-54)18 files modifiedlibclickscope/click/download-manager.cpp (+11/-10)
libclickscope/click/download-manager.h (+3/-3)
libclickscope/click/package.cpp (+5/-0)
libclickscope/click/package.h (+2/-0)
libclickscope/click/preview.cpp (+37/-13)
libclickscope/click/preview.h (+23/-10)
libclickscope/tests/fake_json.cpp (+1/-0)
libclickscope/tests/test_download_manager.cpp (+3/-2)
libclickscope/tests/test_index.cpp (+2/-0)
libclickscope/tests/test_preview.cpp (+39/-0)
scope/clickapps/apps-query.h (+0/-1)
scope/clickapps/apps-scope.cpp (+3/-1)
scope/clickstore/store-query.h (+0/-1)
scope/clickstore/store-scope.cpp (+7/-1)
scope/tests/CMakeLists.txt (+1/-0)
scope/tests/download_manager_tool/download_manager_tool.cpp (+10/-10)
scope/tests/download_manager_tool/download_manager_tool.h (+2/-2)
scope/tests/test_store_scope.cpp (+68/-0)
- PS Jenkins bot: Approve (continuous-integration) on 2014-10-24
- Sebastien Bacher (community): Needs Information on 2014-10-01
-
Diff: 243 lines (+82/-8)8 files modifiedplugins/system-update/PageComponent.qml (+7/-5)
plugins/system-update/download_tracker.cpp (+2/-1)
plugins/system-update/download_tracker.h (+5/-1)
plugins/system-update/network/network.cpp (+2/-0)
plugins/system-update/update.cpp (+1/-0)
plugins/system-update/update.h (+5/-0)
plugins/system-update/update_manager.cpp (+0/-1)
tests/autopilot/ubuntu_system_settings/utils/mock_update_click_server.py (+60/-0)
- PS Jenkins bot: Approve (continuous-integration) on 2015-01-23
- Ubuntu Touch System Settings: Pending requested 2015-01-23
-
Diff: 229 lines (+79/-6)7 files modifiedplugins/system-update/PageComponent.qml (+1/-0)
plugins/system-update/download_tracker.cpp (+5/-5)
plugins/system-update/download_tracker.h (+5/-1)
plugins/system-update/network/network.cpp (+2/-0)
plugins/system-update/update.cpp (+1/-0)
plugins/system-update/update.h (+5/-0)
tests/autopilot/ubuntu_system_settings/utils/mock_update_click_server.py (+60/-0)
- Sebastien Bacher (community): Approve on 2015-02-27
- PS Jenkins bot: Approve (continuous-integration) on 2015-02-26
-
Diff: 224 lines (+77/-5)7 files modifiedplugins/system-update/PageComponent.qml (+1/-0)
plugins/system-update/download_tracker.cpp (+3/-4)
plugins/system-update/download_tracker.h (+5/-1)
plugins/system-update/network/network.cpp (+2/-0)
plugins/system-update/update.cpp (+1/-0)
plugins/system-update/update.h (+5/-0)
tests/autopilot/ubuntu_system_settings/utils/mock_update_click_server.py (+60/-0)
- Alfonso Sanchez-Beato: Approve on 2015-07-22
- PS Jenkins bot: Approve (continuous-integration) on 2015-07-22
- Ricardo Salveti: Needs Information on 2015-03-17
-
Diff: 2471 lines (+762/-264)63 files modifiedCMakeLists.txt (+2/-2)
debian/changelog (+6/-0)
debian/control (+24/-24)
debian/libubuntu-download-manager-client1.install (+1/-1)
debian/libubuntu-download-manager-client1.symbols (+17/-1)
debian/libubuntu-download-manager-common1.install (+1/-1)
debian/libubuntu-download-manager-common1.symbols (+1/-1)
debian/libubuntu-upload-manager-common1.install (+1/-1)
debian/libubuntu-upload-manager-common1.symbols (+1/-1)
debian/libudm-common-dev.install (+1/-0)
debian/libudm-common1.install (+1/-1)
debian/libudm-common1.symbols (+29/-17)
debian/libudm-priv-common1.install (+1/-1)
docs/dbus/com.canonical.applications.download.xml (+5/-0)
docs/dbus/com.canonical.applications.testing.download_manager.xml (+7/-0)
src/common/public/CMakeLists.txt (+2/-0)
src/common/public/ubuntu/transfers/errors/auth_error_struct.cpp (+6/-5)
src/common/public/ubuntu/transfers/errors/auth_error_struct.h (+9/-12)
src/common/public/ubuntu/transfers/errors/hash_error_struct.cpp (+96/-0)
src/common/public/ubuntu/transfers/errors/hash_error_struct.h (+122/-0)
src/common/public/ubuntu/transfers/errors/http_error_struct.cpp (+2/-2)
src/common/public/ubuntu/transfers/errors/http_error_struct.h (+3/-5)
src/common/public/ubuntu/transfers/errors/network_error_struct.cpp (+2/-2)
src/common/public/ubuntu/transfers/errors/network_error_struct.h (+3/-6)
src/common/public/ubuntu/transfers/errors/process_error_struct.cpp (+7/-7)
src/common/public/ubuntu/transfers/errors/process_error_struct.h (+8/-11)
src/downloads/client/symbols.map (+6/-0)
src/downloads/client/ubuntu/download_manager/download_impl.cpp (+14/-1)
src/downloads/client/ubuntu/download_manager/download_impl.h (+3/-4)
src/downloads/client/ubuntu/download_manager/download_interface.cpp (+1/-1)
src/downloads/client/ubuntu/download_manager/download_interface.h (+2/-1)
src/downloads/client/ubuntu/download_manager/error.cpp (+88/-22)
src/downloads/client/ubuntu/download_manager/error.h (+71/-6)
src/downloads/client/ubuntu/download_manager/manager_impl.cpp (+3/-1)
src/downloads/common/ubuntu/download_manager/metatypes.h (+4/-4)
src/downloads/priv/ubuntu/downloads/download_adaptor.h (+5/-0)
src/downloads/priv/ubuntu/downloads/file_download.cpp (+2/-1)
src/downloads/priv/ubuntu/downloads/file_download.h (+2/-1)
src/downloads/priv/ubuntu/downloads/manager.cpp (+1/-0)
src/downloads/test-daemon/testing_daemon.cpp (+12/-1)
src/downloads/test-daemon/testing_daemon.h (+3/-4)
src/downloads/test-daemon/testing_file_download.cpp (+17/-1)
src/downloads/test-daemon/testing_file_download.h (+5/-4)
src/downloads/test-daemon/testing_interface.cpp (+1/-1)
src/downloads/test-daemon/testing_interface.h (+8/-1)
src/downloads/test-daemon/testing_manager.cpp (+12/-3)
src/downloads/test-daemon/testing_manager.h (+3/-4)
src/downloads/test-daemon/testing_manager_adaptor.cpp (+9/-1)
src/downloads/test-daemon/testing_manager_adaptor.h (+7/-1)
src/downloads/test-daemon/ubuntu-download-manager-test-daemon.pro.THIS (+0/-44)
tests/common/daemon_testcase.cpp (+26/-3)
tests/common/daemon_testcase.h (+3/-4)
tests/common/testing_interface.cpp (+1/-1)
tests/common/testing_interface.h (+8/-1)
tests/downloads/client/CMakeLists.txt (+7/-6)
tests/downloads/client/test_client_download.cpp (+37/-1)
tests/downloads/client/test_client_download.h (+4/-4)
tests/downloads/client/test_client_manager.cpp (+1/-1)
tests/downloads/client/test_group_manager_watch.h (+3/-5)
tests/downloads/daemon/CMakeLists.txt (+2/-1)
tests/downloads/daemon/test_download.cpp (+3/-1)
tests/downloads/daemon/test_final_state.cpp (+0/-4)
tests/downloads/qml/CMakeLists.txt (+30/-24)
- PS Jenkins bot: Approve (continuous-integration) on 2015-02-26
- Ubuntu Phablet Team: Pending requested 2015-02-26
- Diff: 0 lines
| Changed in click-package-index: | |
| assignee: | nobody → Ricardo Kirkner (ricardokirkner) |
| Changed in unity-scope-click (Ubuntu): | |
| assignee: | nobody → Alejandro J. Cura (alecu) |
| Ricardo Kirkner (ricardokirkner) wrote : | #1 |
| affects: | click-package-index → software-center-agent |
| Marc Deslauriers (mdeslaur) wrote : | #2 |
I plan on creating a wiki page with the whole thing detailed out later this week.
| Ricardo Kirkner (ricardokirkner) wrote : Re: [Bug 1330770] Re: click packages rely upon tls for integrity and authenticity | #3 |
Ack. Thanks
On Mon, Jun 23, 2014 at 12:13 PM, Marc Deslauriers <
<email address hidden>> wrote:
> I plan on creating a wiki page with the whole thing detailed out later
> this week.
>
> --
> You received this bug notification because you are a member of Buy-
> something hackers, which is subscribed to Software Center Agent.
> https:/
>
> Title:
> click packages rely upon tls for integrity and authenticity
>
> To manage notifications about this bug go to:
>
> https:/
>
| Colin Watson (cjwatson) wrote : | #4 |
| Ricardo Kirkner (ricardokirkner) wrote : | #5 |
A few more questions to consider:
1. do we also want to generate (and expose) signatures for source uploads, or just the binary files?
2. since we're exposing the computed signature for verification purposes, we need to document how to recompute the signature on the device itself, correct?
| Marc Deslauriers (mdeslaur) wrote : | #6 |
Here's the basic outline of how I think we should do this:
https:/
Once everyone agrees to the approach, I can add details if needed.
| Alejandro J. Cura (alecu) wrote : | #7 |
On Fri, Jun 27, 2014 at 9:30 AM, Marc Deslauriers
<email address hidden> wrote:
> Here's the basic outline of how I think we should do this:
>
> https:/
Hi Marc, thanks for working on this.
I agree with the general approach.
I've made a few edits[1] to those steps because the download manager
queues all downloads and the click scope may be dead at the time
downloads are completed. But when starting a download, you can pass a
command line to download manager and it gets run when the download is
completed. So the click scope installs a small script called
"install-helper" that calls packagekit and refreshes the dash with the
new icons when the installation succeeds.
So, to include signatures, it should be the click scope the one
skipping the queue and downloading the detached signature and
verifying its sha-512. And it should pass the path of the signature as
a parameter of the command line for install helper that gets passed to
download manager, and install helper should use it to call packagekit.
[1] My edits are here:
https:/
cheers,
--
alecu
| Alejandro J. Cura (alecu) wrote : | #8 |
The code doing app updates in system settings will also need to do the same steps as the click scope:
- download the signatures
- do the sha-512 verification
- and pass them to packagekit.
| tags: | added: updates |
| Changed in click (Ubuntu): | |
| status: | New → In Progress |
| importance: | Undecided → High |
| Changed in ubuntu-system-settings (Ubuntu): | |
| assignee: | nobody → Diego Sarmentero (diegosarmentero) |
| importance: | Undecided → High |
| status: | New → Triaged |
| tags: | added: rtm14 |
| Changed in unity-scope-click (Ubuntu): | |
| importance: | Undecided → High |
| Changed in click-package-index: | |
| assignee: | nobody → James Tait (jamestait) |
| Alejandro J. Cura (alecu) wrote : | #9 |
A correction to comment #8, after the latest changes in the spec:
The code doing app updates in system settings will also need to do the same steps as the click scope:
- fetch the sha-512 hash from the package details webservice
- pass it to download manager so it can verify the download of the package with the store signature appended.
There's no longer a need for the updater nor the click scope to download signatures nor to pass them to packagekit.
| Changed in click-package-index: | |
| status: | New → Fix Committed |
| Changed in click-package-index: | |
| assignee: | James Tait (jamestait) → nobody |
| Changed in software-center-agent: | |
| status: | New → In Progress |
| Changed in software-center-agent: | |
| status: | In Progress → Fix Committed |
| Changed in click (Ubuntu): | |
| assignee: | nobody → Michael Vogt (mvo) |
| Changed in unity-scope-click (Ubuntu): | |
| status: | New → In Progress |
| Changed in software-center-agent: | |
| status: | Fix Committed → Fix Released |
| Changed in click-package-index: | |
| status: | Fix Committed → Fix Released |
| PS Jenkins bot (ps-jenkins) wrote : | #10 |
Fix committed into lp:unity-scope-click/devel at revision None, scheduled for release in unity-scope-click, milestone Unknown
| Changed in unity-scope-click: | |
| status: | New → Fix Committed |
| Changed in unity-scope-click (Ubuntu): | |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package unity-scope-click - 0.1.1+14.
---------------
unity-scope-click (0.1.1+
[ Alejandro J. Cura (alecu) ]
* New upstream release.
- Display Ubuntu logo in the header of apps scope. (LP: #1350610)
- Pass the sha512 hash from the details webservice to download manager.
(LP: #1330770)
- Sort departments alphabetically. (LP: #1354044)
- Exclude empty departments from the departments tree in Apps.
(LP: #1350609)
- Provide updated departments to match latest server changes. Bumped
schema to 3.
- New script to enable purchases in the scope during beta. (LP: #1356419)
- Add dependency on libglib2.0-bin and upstart-bin for script above.
- Enable QNetworkDiskCache for http GET requests. (LP: #1351212)
- Query download manager for in-progress downloads. (LP: #1234965)
- Only show extended info for apps from the store. (LP: #1350571)
- Don't expand categories by default in the store. (LP: #1355221)
- Do not use static const strings for translations. (LP: #1354501)
- Change "All departments" to just "All". (LP: #1351536)
- Localize the extra department title in the store. (LP: #1358790)
- Updated translations.
[ Martin Pitt ]
* Mark for using language packs.
[ Ubuntu daily release ]
* New rebuild forced
-- Ubuntu daily release <email address hidden> Thu, 21 Aug 2014 20:40:59 +0000
| Changed in unity-scope-click (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #12 |
This bug was fixed in the package click - 0.4.31.2
---------------
click (0.4.31.2) utopic; urgency=medium
[ Michael Vogt ]
* Add "click info" interface to get manifest corresponding to file in
installed package (LP: #1324853).
* Add support for click package gpg signatures (LP: #1330770).
[ Colin Watson ]
* Ugly hack to get coverage reporting working again with gcovr 3.1.
[ Ubuntu daily release ]
* New rebuild forced
-- Ubuntu daily release <email address hidden> Fri, 22 Aug 2014 17:19:06 +0000
| Changed in click (Ubuntu): | |
| status: | In Progress → Fix Released |
| Jamie Strandboge (jdstrand) wrote : | #13 |
I see an ubuntu-
| Changed in ubuntu-system-settings (Ubuntu): | |
| status: | Triaged → Incomplete |
| Alejandro J. Cura (alecu) wrote : | #14 |
The main task in ubuntu-
| Changed in ubuntu-system-settings (Ubuntu): | |
| status: | Incomplete → Triaged |
| Alejandro J. Cura (alecu) wrote : | #15 |
I've set this to Critical, because it will affect every user doing updates of any app.
| Changed in ubuntu-system-settings (Ubuntu): | |
| importance: | High → Critical |
| tags: | added: touch-2014-10-09 |
| Changed in ubuntu-system-settings (Ubuntu): | |
| status: | Triaged → In Progress |
| tags: |
added: touch-2014-10-16 removed: touch-2014-10-09 |
| tags: |
added: touch-2014-10-23 removed: touch-2014-10-16 |
| tags: |
added: ota-1 removed: touch-2014-10-23 |
| no longer affects: | unity-scope-click |
| Changed in ubuntu-system-settings (Ubuntu): | |
| assignee: | Diego Sarmentero (diegosarmentero) → Sebastien Bacher (seb128) |
| Changed in ubuntu-system-settings (Ubuntu): | |
| assignee: | Sebastien Bacher (seb128) → nobody |
| Changed in ubuntu-system-settings (Ubuntu): | |
| assignee: | nobody → Ken VanDine (ken-vandine) |
| Changed in canonical-devices-system-image: | |
| assignee: | nobody → Canonical Devices Products (canonical-devices-products-team) |
| importance: | Undecided → High |
| milestone: | none → r1 |
| status: | New → Confirmed |
| Changed in ubuntu-system-settings (Ubuntu): | |
| status: | In Progress → New |
| status: | New → Confirmed |
| assignee: | Ken VanDine (ken-vandine) → peterstan (stasnel) |
| Pat McGowan (pat-mcgowan) wrote : | #16 |
seb were you handling this one?
| Changed in canonical-devices-system-image: | |
| milestone: | ww51-2014 → ww05-2015 |
| Changed in ubuntu-system-settings (Ubuntu): | |
| assignee: | peterstan (stasnel) → Sebastien Bacher (seb128) |
| Changed in ubuntu-system-settings (Ubuntu): | |
| assignee: | Sebastien Bacher (seb128) → Manuel de la Peña (mandel) |
| Michael Vogt (mvo) wrote : | #17 |
I just noticed the open task for ubuntu-
| Changed in ubuntu-system-settings (Ubuntu RTM): | |
| status: | New → Confirmed |
| importance: | Undecided → Critical |
| assignee: | nobody → Manuel de la Peña (mandel) |
| Launchpad Janitor (janitor) wrote : | #18 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
[ Manuel de la Peña ]
* Add support for checksum validation. (LP: #1330770)
[ Diego Sarmentero ]
* Add support for checksum validation. (LP: #1330770)
-- Ubuntu daily release <email address hidden> Fri, 23 Jan 2015 16:53:49 +0000
| Changed in ubuntu-system-settings (Ubuntu): | |
| status: | Confirmed → Fix Released |
| Ken VanDine (ken-vandine) wrote : | #19 |
The fix that landed in trunk isn't quite complete, it does verify the hash properly but doesn't handle the error signal. I'm suspecting it isn't getting the error signal from ubuntu-
| Changed in ubuntu-system-settings (Ubuntu): | |
| status: | Fix Released → In Progress |
| Ken VanDine (ken-vandine) wrote : | #20 |
I added some debug output to download_
| Alejandro J. Cura (alecu) wrote : | #21 |
Weird, I remember getting errors from download manager when testing the click scope with packages in staging with broken hashes.
Perhaps something changed in download manager since we landed this in the scope (mid august)?
Btw, is there any package in the staging store with broken hash? We can try installing it with the click scope.
| Ken VanDine (ken-vandine) wrote : | #22 |
I'm using a python script to run a fake server, you can see the instructions in our test plan under "CHECK HASH"
https:/
| Changed in canonical-devices-system-image: | |
| status: | Confirmed → In Progress |
| milestone: | ww05-2015 → ww07-2015 |
| Changed in canonical-devices-system-image: | |
| assignee: | Canonical Devices Products (canonical-devices-products-team) → Bill Filler (bfiller) |
| milestone: | ww07-2015 → ww09-2015 |
| Changed in ubuntu-download-manager (Ubuntu RTM): | |
| importance: | Undecided → Critical |
| Changed in ubuntu-download-manager (Ubuntu): | |
| importance: | Undecided → Critical |
| Changed in ubuntu-download-manager (Ubuntu RTM): | |
| status: | New → Confirmed |
| Changed in ubuntu-download-manager (Ubuntu): | |
| status: | New → Confirmed |
| assignee: | nobody → Manuel de la Peña (mandel) |
| Changed in ubuntu-download-manager (Ubuntu RTM): | |
| assignee: | nobody → Manuel de la Peña (mandel) |
| Changed in canonical-devices-system-image: | |
| milestone: | ww09-2015 → ww11-2015 |
| Changed in canonical-devices-system-image: | |
| milestone: | ww11-2015 → ww13-2015 |
| no longer affects: | ubuntu-download-manager (Ubuntu RTM) |
| no longer affects: | ubuntu-system-settings (Ubuntu RTM) |
| Changed in canonical-devices-system-image: | |
| assignee: | Bill Filler (bfiller) → Ricardo Salveti (rsalveti) |
| milestone: | ww13-2015 → ww17-2015 |
| Changed in canonical-devices-system-image: | |
| assignee: | Ricardo Salveti (rsalveti) → Canonical Phone Foundations (canonical-phonedations-team) |
| Changed in canonical-devices-system-image: | |
| milestone: | ww17-2015 → ww21-2015 |
| Changed in canonical-devices-system-image: | |
| assignee: | Canonical Phone Foundations (canonical-phonedations-team) → John McAleely (john.mcaleely) |
| milestone: | ww21-2015 → ww26-2015 |
| Pat McGowan (pat-mcgowan) wrote : | #23 |
this seems stalled
| Changed in canonical-devices-system-image: | |
| milestone: | ww26-2015 → ww34-2015 |
| Changed in canonical-devices-system-image: | |
| status: | In Progress → Fix Committed |
| Changed in canonical-devices-system-image: | |
| status: | Fix Committed → Fix Released |
| Changed in ubuntu-system-settings (Ubuntu): | |
| status: | In Progress → Fix Released |
Have we already defined what specific signature mechanism we want/need to implement server side? As far as I understand this we'll need the following
1. Upon upload of the click package, we compute a signature for it (what type of signature?)
2. We expose the computed signature somewhere public so that the click installer can compare it with it's own computation before installing the package.
Please add any particular specifics we should consider when implementing this.