opkg and gpg signed ipk packages

opkg and gpg signed ipk packages

[Sona Sarmadi]

Hi,

Does opkg have support for gpg signed ipk packages? It seems like that opkg does not recognize gpg signed files. 

root@p2020rdb:~# opkg list-upgradable
curl - 7.35.0-r2.0 - 7.35.0-r3.0
curl-dbg - 7.35.0-r2.0 - 7.35.0-r3.0
libcurl5 - 7.35.0-r2.0 - 7.35.0-r3.0
root@p2020rdb:~# opkg upgrade curl
Upgrading curl on root from 7.35.0-r2.0 to 7.35.0-r3.0...
Downloading http://domain.com/tmp/ipk/ppce500v2/curl_7.35.0-r3.0_ppce500v2.ipk.asc.
Collected errors:
 * deb_extract: /tmp/opkg-tslkbd/curl_7.35.0-r3.0_ppce500v2.ipk.asc: invalid magic
 * opkg_install_pkg: Failed to unpack control files from /tmp/opkg-tslkbd/curl_7.35.0-r3.0_ppce500v2.ipk.asc.
root@p2020rdb:~#

I have updated the Package file manually:
Package: curl
Version: 7.35.0-r3.0
Depends: libcurl5 (>= 7.35.0), libz1 (>= 1.2.8), libc6 (>= 2.19)
Section: console/network
Architecture: ppce500v2
Maintainer: ENEA <issues@enea.com>
MD5Sum: 725f019d72b6f70845ae19299230738a
Size: 95616
Filename: curl_7.35.0-r3.0_ppce500v2.ipk.asc
Source: http://curl.haxx.se/download/curl-7.35.0.tar.bz2 file://pkgconfig_fix.patch file://CVE-2014-3613.patch file://configure_ac.patch
Description:  Command line tool and library for client-side URL transfers  Command line
 tool and library for client-side URL transfers.
OE: curl
HomePage: http://curl.haxx.se/
License: MIT
Priority: optional

Thanks
//Sona

Re: opkg and gpg signed ipk packages

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 2575 bytes --]

On Thu, May 07, 2015 at 07:11:39PM +0000, Sona Sarmadi wrote:
> Hi,
> 
> Does opkg have support for gpg signed ipk packages? It seems like that opkg does not recognize gpg signed files. 
>

opkg 0.2.x only has support for checking the package feed signature. To use
this, add the line 'option check_signature 1' to your opkg.conf file and place a
Packages.sig file next to the Packages file in your package feed. ASCII-armoured
signatures are not supported.

opkg-0.3.0-rc2 extends this. Signatures for each package are supported, add the
line 'option check_pkg_signature 1' to your opkg.conf file to use this. Then
for a package named package_v1.ipk you'd need to create a package_v1.ipk.sig
file in the same directory. ASCII-armoured signatures are used with the file
extension .asc instead of .sig if the line 'option signature_type gpg-asc' is
added to your opkg.conf file. The 'Filename' in the package feed should always
refer to the ipk file, the signature is detached rather than included with the
file.

I've not used these options in a while so I might have remembered something
wrong, but the general idea is right.

> root@p2020rdb:~# opkg list-upgradable
> curl - 7.35.0-r2.0 - 7.35.0-r3.0
> curl-dbg - 7.35.0-r2.0 - 7.35.0-r3.0
> libcurl5 - 7.35.0-r2.0 - 7.35.0-r3.0
> root@p2020rdb:~# opkg upgrade curl
> Upgrading curl on root from 7.35.0-r2.0 to 7.35.0-r3.0...
> Downloading http://domain.com/tmp/ipk/ppce500v2/curl_7.35.0-r3.0_ppce500v2.ipk.asc.
> Collected errors:
>  * deb_extract: /tmp/opkg-tslkbd/curl_7.35.0-r3.0_ppce500v2.ipk.asc: invalid magic
>  * opkg_install_pkg: Failed to unpack control files from /tmp/opkg-tslkbd/curl_7.35.0-r3.0_ppce500v2.ipk.asc.
> root@p2020rdb:~#
> 
> I have updated the Package file manually:
> Package: curl
> Version: 7.35.0-r3.0
> Depends: libcurl5 (>= 7.35.0), libz1 (>= 1.2.8), libc6 (>= 2.19)
> Section: console/network
> Architecture: ppce500v2
> Maintainer: ENEA <issues@enea.com>
> MD5Sum: 725f019d72b6f70845ae19299230738a
> Size: 95616
> Filename: curl_7.35.0-r3.0_ppce500v2.ipk.asc
> Source: http://curl.haxx.se/download/curl-7.35.0.tar.bz2 file://pkgconfig_fix.patch file://CVE-2014-3613.patch file://configure_ac.patch
> Description:  Command line tool and library for client-side URL transfers  Command line
>  tool and library for client-side URL transfers.
> OE: curl
> HomePage: http://curl.haxx.se/
> License: MIT
> Priority: optional
> 
> Thanks
> //Sona

Thanks,

-- 
Paul Barker

Email: paul@paulbarker.me.uk
http://www.paulbarker.me.uk

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 501 bytes --]

Re: opkg and gpg signed ipk packages

[Sona Sarmadi]

Thanks Paul for your quick feedback .

> opkg 0.2.x only has support for checking the package feed signature. To use
> this, add the line 'option check_signature 1' to your opkg.conf file and place a
> Packages.sig file next to the Packages file in your package feed. ASCII-
> armoured signatures are not supported.

Ok, even if we can't sign the individual .ipk files, by signing the Packages file we can achieve some
Level of authentication, e.g. if someone tampers with the .ipk files they can't change the matching 
checksum in the Packages.sig. The checksumming algorithm used for packages is MD5 now which is
 not really secure. Is it possible to use another algorithm. I guess if we use a better checksum for 
packages, there is no need for Signing each individual .ipk patches, signing package feed (Packages) 
would be enough. Right?

> opkg-0.3.0-rc2 extends this. Signatures for each package are supported, add
> the line 'option check_pkg_signature 1' to your opkg.conf file to use this.
> Then for a package named package_v1.ipk you'd need to create a
> package_v1.ipk.sig file in the same directory. ASCII-armoured signatures are
> used with the file extension .asc instead of .sig if the line 'option
> signature_type gpg-asc' is added to your opkg.conf file. The 'Filename' in the
> package feed should always refer to the ipk file, the signature is detached
> rather than included with the file.
> I've not used these options in a while so I might have remembered
> something wrong, but the general idea is right.
> 

//Sona

Re: opkg and gpg signed ipk packages

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 1289 bytes --]

On Fri, May 08, 2015 at 02:26:26PM +0000, Sona Sarmadi wrote:
> Thanks Paul for your quick feedback .
> 
> > opkg 0.2.x only has support for checking the package feed signature. To use
> > this, add the line 'option check_signature 1' to your opkg.conf file and place a
> > Packages.sig file next to the Packages file in your package feed. ASCII-
> > armoured signatures are not supported.
> 
> Ok, even if we can't sign the individual .ipk files, by signing the Packages file we can achieve some
> Level of authentication, e.g. if someone tampers with the .ipk files they can't change the matching 
> checksum in the Packages.sig. The checksumming algorithm used for packages is MD5 now which is
>  not really secure. Is it possible to use another algorithm. I guess if we use a better checksum for 
> packages, there is no need for Signing each individual .ipk patches, signing package feed (Packages) 
> would be enough. Right?
> 

SHA256 is also supported. In OpenEmbedded, use the PACKAGECONFIG 'sha256' then
ensure that your Packages file contains a 'SHA256sum: ...' line for each
package.

Again, these instructions are fairly rough as I haven't used them for a while.

Thanks,

-- 
Paul Barker

Email: paul@paulbarker.me.uk
http://www.paulbarker.me.uk

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 501 bytes --]

Re: opkg and gpg signed ipk packages

[Sona Sarmadi]

Hi 
> SHA256 is also supported. In OpenEmbedded, use the PACKAGECONFIG
> 'sha256' then ensure that your Packages file contains a 'SHA256sum: ...' line
> for each package.

Does anyone know where do I specify this PACKAGECONFIG configuration? I want all ipk packages to be checksummed using sha256 (in the Packages file that describes the ipk  packages). The default seems to be md5:

tmp/deploy/ipk/ppce500v2/Packages
Package: acl-dbg
Version: 2.2.52-r0
Recommends: libc6-dbg, libattr-dbg, libacl-dbg
Section: devel
Architecture: ppce500v2
Maintainer: Poky <poky@yoctoproject.org>
MD5Sum: 0903a158d6c7acc825bf7e71b255d7fc     <<<<<

Thanks
//Sona

Re: opkg and gpg signed ipk packages

[Paul Eggleton]

Hi Sona,

On Wednesday 13 May 2015 20:20:51 Sona Sarmadi wrote:
> > SHA256 is also supported. In OpenEmbedded, use the PACKAGECONFIG
> > 'sha256' then ensure that your Packages file contains a 'SHA256sum: ...'
> > line for each package.
> 
> Does anyone know where do I specify this PACKAGECONFIG configuration? I want
> all ipk packages to be checksummed using sha256 (in the Packages file that
> describes the ipk  packages). The default seems to be md5:
> 
> tmp/deploy/ipk/ppce500v2/Packages
> Package: acl-dbg
> Version: 2.2.52-r0
> Recommends: libc6-dbg, libattr-dbg, libacl-dbg
> Section: devel
> Architecture: ppce500v2
> Maintainer: Poky <poky@yoctoproject.org>
> MD5Sum: 0903a158d6c7acc825bf7e71b255d7fc     <<<<<

I'm guessing you would want something like this in your custom distro config 
(or local.conf if you must):

PACKAGECONFIG_append_pn-opkg = " sha256"
PACKAGECONFIG_append_pn-opkg-native = " sha256"

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: opkg and gpg signed ipk packages

[Sona Sarmadi]

> I'm guessing you would want something like this in your custom distro config
> (or local.conf if you must):
> 
> PACKAGECONFIG_append_pn-opkg = " sha256"
> PACKAGECONFIG_append_pn-opkg-native = " sha256"

Thanks Paul, it looks like this should be the configuration but I have tried this and didn't help.  

I try to find out some info about "Packages" file, how it is generated, where this checksum is computed, etc ...  

I see in the opkg.py how the content of the "Packages" file is generated but I don't understand how this file is generated.
 
./build-p2020/tmp/sysroots/x86_64-linux/usr/bin/opkg.py

  if self.md5: out = out + "MD5Sum: %s\n" % (self.md5)


//Sona

hashval = bb.utils.md5_file(f)

Re: opkg and gpg signed ipk packages

[Sona Sarmadi]

> > I'm guessing you would want something like this in your custom distro
> > config (or local.conf if you must):
> >
> > PACKAGECONFIG_append_pn-opkg = " sha256"
> > PACKAGECONFIG_append_pn-opkg-native = " sha256"
>

Thanks a lot guys for your help, this is now working :)
There is support for sha256 in opkg but not in the opkg-utils. 
opkg-utils (opkg.py) just uses md5 as default option. I changed 
 
opkg.py:
........
        # compute the MD5.
        if not self.fn:
            self.md5 = 'Unknown'
        else:
            f = open(self.fn, "rb")
            sum = hashlib.md5() 
to
            sum = hashlib.sha256()

and now I get checksum sha256 in the "Packages" file:

SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594

Do you think this patch would be of interest for someone? 

//Sona

Re: opkg and gpg signed ipk packages

[Gary Thomas]

On 2015-05-19 05:47, Sona Sarmadi wrote:
>
>>> I'm guessing you would want something like this in your custom distro
>>> config (or local.conf if you must):
>>>
>>> PACKAGECONFIG_append_pn-opkg = " sha256"
>>> PACKAGECONFIG_append_pn-opkg-native = " sha256"
>>
>
> Thanks a lot guys for your help, this is now working :)
> There is support for sha256 in opkg but not in the opkg-utils.
> opkg-utils (opkg.py) just uses md5 as default option. I changed
>
> opkg.py:
> ........
>          # compute the MD5.
>          if not self.fn:
>              self.md5 = 'Unknown'
>          else:
>              f = open(self.fn, "rb")
>              sum = hashlib.md5()
> to
>              sum = hashlib.sha256()
>
> and now I get checksum sha256 in the "Packages" file:
>
> SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594
>
> Do you think this patch would be of interest for someone?

Yes, including everything you found that needs to be set up to
support these checksums.

-- 
------------------------------------------------------------
Gary Thomas                 |  Consulting for the
MLB Associates              |    Embedded world
------------------------------------------------------------

Re: opkg and gpg signed ipk packages

[Otavio Salvador]

On Tue, May 19, 2015 at 8:47 AM, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
>
>> > I'm guessing you would want something like this in your custom distro
>> > config (or local.conf if you must):
>> >
>> > PACKAGECONFIG_append_pn-opkg = " sha256"
>> > PACKAGECONFIG_append_pn-opkg-native = " sha256"
>>
>
> Thanks a lot guys for your help, this is now working :)
> There is support for sha256 in opkg but not in the opkg-utils.
> opkg-utils (opkg.py) just uses md5 as default option. I changed
>
> opkg.py:
> ........
>         # compute the MD5.
>         if not self.fn:
>             self.md5 = 'Unknown'
>         else:
>             f = open(self.fn, "rb")
>             sum = hashlib.md5()
> to
>             sum = hashlib.sha256()
>
> and now I get checksum sha256 in the "Packages" file:
>
> SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594
>
> Do you think this patch would be of interest for someone?

Yes but it would be good to make it choosable at distro level.


-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: opkg and gpg signed ipk packages

[Mark Hatle]

On 5/19/15 7:01 AM, Otavio Salvador wrote:
> On Tue, May 19, 2015 at 8:47 AM, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
>>
>>>> I'm guessing you would want something like this in your custom distro
>>>> config (or local.conf if you must):
>>>>
>>>> PACKAGECONFIG_append_pn-opkg = " sha256"
>>>> PACKAGECONFIG_append_pn-opkg-native = " sha256"
>>>
>>
>> Thanks a lot guys for your help, this is now working :)
>> There is support for sha256 in opkg but not in the opkg-utils.
>> opkg-utils (opkg.py) just uses md5 as default option. I changed
>>
>> opkg.py:
>> ........
>>         # compute the MD5.
>>         if not self.fn:
>>             self.md5 = 'Unknown'
>>         else:
>>             f = open(self.fn, "rb")
>>             sum = hashlib.md5()
>> to
>>             sum = hashlib.sha256()
>>
>> and now I get checksum sha256 in the "Packages" file:
>>
>> SHA256Sum: 6be1fb5b9dab3de5848fd578d515d05adc5c6cd3b0009f8c1b13ab1250cee594
>>
>> Do you think this patch would be of interest for someone?
> 
> Yes but it would be good to make it choosable at distro level.

I agree.. and RPM(5) has the ability to switch the default checksum from MD5 to
others as well.  So a global distro setting would make sense.  (I don't know how
the deb package manager is configured.)

Let me know if we come up with a distribution level switch (or if we just want
to make the policy be sha256, as it's definitely better then MD5) and I can help
make the RPM configuration change as well.

--Mark

Re: opkg and gpg signed ipk packages

[Sona Sarmadi]

> >> Do you think this patch would be of interest for someone?
> >
> > Yes but it would be good to make it choosable at distro level.

Opkg has support for 'sha256' but opkg-utils only supports md5. 
We could pass the sha256 option to opkg-utils (like other parameters such as Maintainer), 
and make it configurable. We just need to figure out how to pass this option to opkg-utils.
 
Since MD5 is not very secure, wouldn't it be better to use sha256 as default? 
Or is there any specific reason that someone would want MD5 to be kept as the
default (due to e.g. performance, backwards compatibility .. ?).  
It takes longer time to compute a sha256 checksum compared to md5 but 
sha256 is more secure & reliable. 

Any way it would be good to have this optional (sha256 or md5). 

> I agree.. and RPM(5) has the ability to switch the default checksum from MD5
> to others as well.  So a global distro setting would make sense.  (I don't know
> how the deb package manager is configured.)
> 
> Let me know if we come up with a distribution level switch (or if we just want
> to make the policy be sha256, as it's definitely better then MD5) and I can
> help make the RPM configuration change as well.

I think a configuration at high level would be good to use for all PMS, to choose MD5 or sha256. 

conf/local.conf:
# Package Management configuration
PACKAGE_CLASSES ?= "package_ipk"
Or
PACKAGE_CLASSES ?= "package_rpm"

PACKAGE_CHECKSUM ?= "sha256"   <<< something like this
Or 
PACKAGE_CHECKSUM ?= "md5"

//Sona