click packages rely upon tls for integrity and authenticity

Bug #1330770 reported by Seth Arnold
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Fix Released
High
John McAleely
Software Center Agent
Fix Released
Undecided
Ricardo Kirkner
click (Ubuntu)
Fix Released
High
Michael Vogt
ubuntu-download-manager (Ubuntu)
Fix Released
Critical
Manuel de la Peña
Vivid
Won't Fix
Undecided
Unassigned
ubuntu-system-settings (Ubuntu)
Fix Released
Critical
Manuel de la Peña
unity-scope-click (Ubuntu)
Fix Released
High
Alejandro J. Cura

Bug Description

Hello, I just completed a quick review of the click source and the unity-scope-click source and behaviours, and found some opportunities for improvement.

Debian, and Ubuntu, rely upon signed repository files with cryptographic hashes of packages to provide both integrity and authenticity checks for the packages hosted on that repository.

The click framework and the unity-scope-click discovery and installation tool do not use signed repository files, nor do they have signatures of any sort on downloaded packages. The only integrity and authenticity checks are provided by the use of HTTPS. The click verify command will check files within the archive against MD5sums stored inside the archive but the click verify command is not used during package installation. (This is suitable for validating integrity against accidental changes only.)

While it appears that unity-scope-click properly uses HTTPS to download package metadata and packages, HTTPS alone is insufficient for our needs:

- Someone in a position to create new certificates at any of several hundred certificate authorities could create certificates purporting to be our update servers. This actual problem has been discovered in the wild with several certificate authorities issuing wild-card certificates or even certificates with signing authority.

- X.509 is extremely complicated; TLS is extremely complicated. Flaws in both are inevitable.

- HTTPS prevents the use of caching.

- HTTPS only 'works' for data-in-motion; it is useless for data-at-rest integrity and authenticity checks.

I have not yet reviewed the tools that application authors will use to upload their packages to our distribution servers but note in passing that most of these issues are also issues for adding packages to our update servers -- packages in flight within our network can be corrupted for many reasons, packages on disk can be corrupted for many reasons. A signature mechanism can protect against internal network faults, storage faults, and provide assurance months or years later that an uploaded package was uploaded by someone in control of a corresponding private key.

Thanks

Related branches

Martin Albisetti (beuno)
Changed in click-package-index:
assignee: nobody → Ricardo Kirkner (ricardokirkner)
Changed in unity-scope-click (Ubuntu):
assignee: nobody → Alejandro J. Cura (alecu)
Revision history for this message
Ricardo Kirkner (ricardokirkner) wrote :

Have we already defined what specific signature mechanism we want/need to implement server side? As far as I understand this we'll need the following

1. Upon upload of the click package, we compute a signature for it (what type of signature?)
2. We expose the computed signature somewhere public so that the click installer can compare it with it's own computation before installing the package.

Please add any particular specifics we should consider when implementing this.

affects: click-package-index → software-center-agent
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I plan on creating a wiki page with the whole thing detailed out later this week.

Revision history for this message
Ricardo Kirkner (ricardokirkner) wrote : Re: [Bug 1330770] Re: click packages rely upon tls for integrity and authenticity

Ack. Thanks

On Mon, Jun 23, 2014 at 12:13 PM, Marc Deslauriers <
<email address hidden>> wrote:

> I plan on creating a wiki page with the whole thing detailed out later
> this week.
>
> --
> You received this bug notification because you are a member of Buy-
> something hackers, which is subscribed to Software Center Agent.
> https://bugs.launchpad.net/bugs/1330770
>
> Title:
> click packages rely upon tls for integrity and authenticity
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/software-center-agent/+bug/1330770/+subscriptions
>

Revision history for this message
Colin Watson (cjwatson) wrote :
Revision history for this message
Ricardo Kirkner (ricardokirkner) wrote :

A few more questions to consider:

1. do we also want to generate (and expose) signatures for source uploads, or just the binary files?
2. since we're exposing the computed signature for verification purposes, we need to document how to recompute the signature on the device itself, correct?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Here's the basic outline of how I think we should do this:

https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning

Once everyone agrees to the approach, I can add details if needed.

Revision history for this message
Alejandro J. Cura (alecu) wrote :

On Fri, Jun 27, 2014 at 9:30 AM, Marc Deslauriers
<email address hidden> wrote:
> Here's the basic outline of how I think we should do this:
>
> https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning

Hi Marc, thanks for working on this.

I agree with the general approach.

I've made a few edits[1] to those steps because the download manager
queues all downloads and the click scope may be dead at the time
downloads are completed. But when starting a download, you can pass a
command line to download manager and it gets run when the download is
completed. So the click scope installs a small script called
"install-helper" that calls packagekit and refreshes the dash with the
new icons when the installation succeeds.

So, to include signatures, it should be the click scope the one
skipping the queue and downloading the detached signature and
verifying its sha-512. And it should pass the path of the signature as
a parameter of the command line for install helper that gets passed to
download manager, and install helper should use it to call packagekit.

[1] My edits are here:
https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning?action=diff&rev1=2&rev2=3

cheers,
--
alecu

Revision history for this message
Alejandro J. Cura (alecu) wrote :

The code doing app updates in system settings will also need to do the same steps as the click scope:
- download the signatures
- do the sha-512 verification
- and pass them to packagekit.

tags: added: updates
Michael Vogt (mvo)
Changed in click (Ubuntu):
status: New → In Progress
importance: Undecided → High
Changed in ubuntu-system-settings (Ubuntu):
assignee: nobody → Diego Sarmentero (diegosarmentero)
importance: Undecided → High
status: New → Triaged
tags: added: rtm14
dobey (dobey)
Changed in unity-scope-click (Ubuntu):
importance: Undecided → High
Changed in click-package-index:
assignee: nobody → James Tait (jamestait)
Revision history for this message
Alejandro J. Cura (alecu) wrote :

A correction to comment #8, after the latest changes in the spec:

The code doing app updates in system settings will also need to do the same steps as the click scope:
- fetch the sha-512 hash from the package details webservice
- pass it to download manager so it can verify the download of the package with the store signature appended.

There's no longer a need for the updater nor the click scope to download signatures nor to pass them to packagekit.

Changed in click-package-index:
status: New → Fix Committed
James Tait (jamestait)
Changed in click-package-index:
assignee: James Tait (jamestait) → nobody
Changed in software-center-agent:
status: New → In Progress
Changed in software-center-agent:
status: In Progress → Fix Committed
Colin Watson (cjwatson)
Changed in click (Ubuntu):
assignee: nobody → Michael Vogt (mvo)
Changed in unity-scope-click (Ubuntu):
status: New → In Progress
Changed in software-center-agent:
status: Fix Committed → Fix Released
Changed in click-package-index:
status: Fix Committed → Fix Released
Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

Fix committed into lp:unity-scope-click/devel at revision None, scheduled for release in unity-scope-click, milestone Unknown

Changed in unity-scope-click:
status: New → Fix Committed
Changed in unity-scope-click (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-scope-click - 0.1.1+14.10.20140821.1-0ubuntu1

---------------
unity-scope-click (0.1.1+14.10.20140821.1-0ubuntu1) utopic; urgency=medium

  [ Alejandro J. Cura (alecu) ]
  * New upstream release.
    - Display Ubuntu logo in the header of apps scope. (LP: #1350610)
    - Pass the sha512 hash from the details webservice to download manager.
      (LP: #1330770)
    - Sort departments alphabetically. (LP: #1354044)
    - Exclude empty departments from the departments tree in Apps.
      (LP: #1350609)
    - Provide updated departments to match latest server changes. Bumped
      schema to 3.
    - New script to enable purchases in the scope during beta. (LP: #1356419)
    - Add dependency on libglib2.0-bin and upstart-bin for script above.
    - Enable QNetworkDiskCache for http GET requests. (LP: #1351212)
    - Query download manager for in-progress downloads. (LP: #1234965)
    - Only show extended info for apps from the store. (LP: #1350571)
    - Don't expand categories by default in the store. (LP: #1355221)
    - Do not use static const strings for translations. (LP: #1354501)
    - Change "All departments" to just "All". (LP: #1351536)
    - Localize the extra department title in the store. (LP: #1358790)
    - Updated translations.

  [ Martin Pitt ]
  * Mark for using language packs.

  [ Ubuntu daily release ]
  * New rebuild forced
 -- Ubuntu daily release <email address hidden> Thu, 21 Aug 2014 20:40:59 +0000

Changed in unity-scope-click (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package click - 0.4.31.2

---------------
click (0.4.31.2) utopic; urgency=medium

  [ Michael Vogt ]
  * Add "click info" interface to get manifest corresponding to file in
    installed package (LP: #1324853).
  * Add support for click package gpg signatures (LP: #1330770).

  [ Colin Watson ]
  * Ugly hack to get coverage reporting working again with gcovr 3.1.

  [ Ubuntu daily release ]
  * New rebuild forced
 -- Ubuntu daily release <email address hidden> Fri, 22 Aug 2014 17:19:06 +0000

Changed in click (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I see an ubuntu-system-settings task and was wondering what it is for? The spec (https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning) says: "Configuring the system to allow installing unsigned packages should not be exposed via the UI and only available via the command line/adb". Should this task be removed?

Changed in ubuntu-system-settings (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Alejandro J. Cura (alecu) wrote :

The main task in ubuntu-system-settings for this bug is about app updates: the code doing the updates fetches the url for the click package from a webservice, and passes that url to ubuntu-download-manager. What's missing is fetching also the sha512 hash from the same webservice call, and passing it to ubuntu-download-manager to do the verification after download.

Changed in ubuntu-system-settings (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Alejandro J. Cura (alecu) wrote :

I've set this to Critical, because it will affect every user doing updates of any app.

Changed in ubuntu-system-settings (Ubuntu):
importance: High → Critical
tags: added: touch-2014-10-09
Changed in ubuntu-system-settings (Ubuntu):
status: Triaged → In Progress
tags: added: touch-2014-10-16
removed: touch-2014-10-09
Olli Ries (ories)
tags: added: touch-2014-10-23
removed: touch-2014-10-16
tags: added: ota-1
removed: touch-2014-10-23
dobey (dobey)
no longer affects: unity-scope-click
Thomas Strehl (strehl-t)
Changed in ubuntu-system-settings (Ubuntu):
assignee: Diego Sarmentero (diegosarmentero) → Sebastien Bacher (seb128)
Changed in ubuntu-system-settings (Ubuntu):
assignee: Sebastien Bacher (seb128) → nobody
Changed in ubuntu-system-settings (Ubuntu):
assignee: nobody → Ken VanDine (ken-vandine)
Olli Ries (ories)
Changed in canonical-devices-system-image:
assignee: nobody → Canonical Devices Products (canonical-devices-products-team)
importance: Undecided → High
milestone: none → r1
status: New → Confirmed
peterstan (stasnel)
Changed in ubuntu-system-settings (Ubuntu):
status: In Progress → New
status: New → Confirmed
assignee: Ken VanDine (ken-vandine) → peterstan (stasnel)
Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

seb were you handling this one?

Changed in canonical-devices-system-image:
milestone: ww51-2014 → ww05-2015
Changed in ubuntu-system-settings (Ubuntu):
assignee: peterstan (stasnel) → Sebastien Bacher (seb128)
Changed in ubuntu-system-settings (Ubuntu):
assignee: Sebastien Bacher (seb128) → Manuel de la Peña (mandel)
Revision history for this message
Michael Vogt (mvo) wrote :

I just noticed the open task for ubuntu-system-settings about doing a addtional hashsum check for the download. Fwiw, click is already doing a gpg verification before the install so corrupted/MITMed clicks will not get installed there. Having the hash check may still be a good idea for e.g. better error reporting.

Changed in ubuntu-system-settings (Ubuntu RTM):
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Manuel de la Peña (mandel)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-system-settings - 0.3+15.04.20150123-0ubuntu1

---------------
ubuntu-system-settings (0.3+15.04.20150123-0ubuntu1) vivid; urgency=low

  [ Manuel de la Peña ]
  * Add support for checksum validation. (LP: #1330770)

  [ Diego Sarmentero ]
  * Add support for checksum validation. (LP: #1330770)
 -- Ubuntu daily release <email address hidden> Fri, 23 Jan 2015 16:53:49 +0000

Changed in ubuntu-system-settings (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Ken VanDine (ken-vandine) wrote :

The fix that landed in trunk isn't quite complete, it does verify the hash properly but doesn't handle the error signal. I'm suspecting it isn't getting the error signal from ubuntu-download-manager.

Changed in ubuntu-system-settings (Ubuntu):
status: Fix Released → In Progress
Revision history for this message
Ken VanDine (ken-vandine) wrote :

I added some debug output to download_tracker.cpp, registerError is never getting called, which is the function connected to Download::error. I don't think ubuntu-download-manager is emitting the error when the hash check fails.

Revision history for this message
Alejandro J. Cura (alecu) wrote :

Weird, I remember getting errors from download manager when testing the click scope with packages in staging with broken hashes.
Perhaps something changed in download manager since we landed this in the scope (mid august)?

Btw, is there any package in the staging store with broken hash? We can try installing it with the click scope.

Revision history for this message
Ken VanDine (ken-vandine) wrote :

I'm using a python script to run a fake server, you can see the instructions in our test plan under "CHECK HASH"

https://wiki.ubuntu.com/Process/Merges/TestPlan/ubuntu-system-settings

Changed in canonical-devices-system-image:
status: Confirmed → In Progress
milestone: ww05-2015 → ww07-2015
Changed in canonical-devices-system-image:
assignee: Canonical Devices Products (canonical-devices-products-team) → Bill Filler (bfiller)
milestone: ww07-2015 → ww09-2015
Changed in ubuntu-download-manager (Ubuntu RTM):
importance: Undecided → Critical
Changed in ubuntu-download-manager (Ubuntu):
importance: Undecided → Critical
Changed in ubuntu-download-manager (Ubuntu RTM):
status: New → Confirmed
Changed in ubuntu-download-manager (Ubuntu):
status: New → Confirmed
assignee: nobody → Manuel de la Peña (mandel)
Changed in ubuntu-download-manager (Ubuntu RTM):
assignee: nobody → Manuel de la Peña (mandel)
Changed in canonical-devices-system-image:
milestone: ww09-2015 → ww11-2015
Changed in canonical-devices-system-image:
milestone: ww11-2015 → ww13-2015
no longer affects: ubuntu-download-manager (Ubuntu RTM)
no longer affects: ubuntu-system-settings (Ubuntu RTM)
Bill Filler (bfiller)
Changed in canonical-devices-system-image:
assignee: Bill Filler (bfiller) → Ricardo Salveti (rsalveti)
milestone: ww13-2015 → ww17-2015
Changed in canonical-devices-system-image:
assignee: Ricardo Salveti (rsalveti) → Canonical Phone Foundations (canonical-phonedations-team)
Changed in canonical-devices-system-image:
milestone: ww17-2015 → ww21-2015
Changed in canonical-devices-system-image:
assignee: Canonical Phone Foundations (canonical-phonedations-team) → John McAleely (john.mcaleely)
milestone: ww21-2015 → ww26-2015
Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

this seems stalled

Changed in canonical-devices-system-image:
milestone: ww26-2015 → ww34-2015
Changed in canonical-devices-system-image:
status: In Progress → Fix Committed
Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
Changed in ubuntu-system-settings (Ubuntu):
status: In Progress → Fix Released
summary: - click packages rely upon tls for integrity and authenticity
+ Indications of Anxiety Disorder and Depression
description: updated
Colin Watson (cjwatson)
summary: - Indications of Anxiety Disorder and Depression
+ click packages rely upon tls for integrity and authenticity
description: updated
Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ):

Fixed in https://gitlab.com/ubports/development/core/lomiri-download-manager/-/commit/df3665685da5cfb559a06016d4e0339c29b903e1 (2015), that first appeared in version 0.9+15.10.20150723.2-0ubuntu1.

Changed in ubuntu-download-manager (Ubuntu):
status: Confirmed → Fix Released
Changed in ubuntu-download-manager (Ubuntu Vivid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.