Re: RPM bogus signature

From: Dmytro Milinevskyy <milinevskyy@gmail.com>
To: yocto@yoctoproject.org
Subject: Re: RPM bogus signature
Date: Mon, 18 Apr 2016 13:54:21 +0200	[thread overview]
Message-ID: <CAOUdcc-x_vbB+g+hsgPL3b_v8RtbLOn85HrcVX8tPV=EcM5hNg@mail.gmail.com> (raw)
In-Reply-To: <CAOUdcc_NJQpH4GMO47D_0S3db57L7VizZ5=nxU7U3O6N-MXsCg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3537 bytes --]

Hi,

I've found the culprit.
RPM5 does package auto-signing. Itself it's not a big deal but the problem
is that it also considers that package is valid if the pubkey is present in
the RPM header.
This is an extremely severe security issue - any "signed" package can be
installed on the target even if the public key is not installed in the
local RPM DB.

I would consider to either switch to RPM4 or just disable this "feature" in
RPM5.
BTW, what's purpose of using RPM5 in Yocto? The gross distros(SuSe, Fedora,
etc) still successfully use RPM4. This means that it is exhaustively
verified.

Best regards,
Dimitri

On Sat, Apr 16, 2016 at 2:57 PM, Dmytro Milinevskyy <milinevskyy@gmail.com>
wrote:

> Hello,
>
> currently I'm trying to enforce rpm signature verification on the target
> device and get weird bogus signature of the RPM packages when the signature
> is not enabled in the configuration.
> The main issue that this signature is considered as valid by the RPM
> 5.4.14 which is used by Yocto. And thus it is "correctly" installed by
> "smart" packaging system on the target.
>
> For example here 2 packages built w/o signing. Both packages have
> different keys and RPM is not complaining:
> >tmp/sysroots/x86_64-linux/usr/bin/rpm -Kv
> ./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm
> ./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm
> ./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm:
>     Header V4 DSA signature: OK, key ID bd8f688a
>     Header SHA1 digest: OK (45dfa7cbfe3cfc3a6c4a928e58b100d81f5a367d)
>     MD5 digest: OK (a8450299f5c2d9adecc4bda799b7038d)
> ./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm:
>     Header V4 DSA signature: OK, key ID bc6abdd3
>     Header SHA1 digest: OK (e95dc6b40965224ae443460117fe2ada4f855b2d)
>     MD5 digest: OK (1dda4ae1673ab96dd9edbdc423df29ac)
>
> Nevertheless the host RPM(rpm4 from ubuntu) is correctly identifying that
> the signature is invalid:
> >rpm -Kv ./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm
> ./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm
> ./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm:
>     Header V4 DSA/SHA1 Signature, key ID bd8f688a: NOKEY
>     Header SHA1 digest: OK (45dfa7cbfe3cfc3a6c4a928e58b100d81f5a367d)
>     MD5 digest: OK (a8450299f5c2d9adecc4bda799b7038d)
> ./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm:
>     Header V4 DSA/SHA1 Signature, key ID bc6abdd3: NOKEY
>     Header SHA1 digest: OK (e95dc6b40965224ae443460117fe2ada4f855b2d)
>     MD5 digest: OK (1dda4ae1673ab96dd9edbdc423df29ac)
>
> Following is an output of properly signed packages. You may see that the
> keys are valid(you can also check the pub key on MIT key storage):
> rpm -Kv ./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm
> ./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm
> ./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm:
>     Header V4 RSA/SHA1 Signature, key ID 5a906f4c: OK
>     Header SHA1 digest: OK (e82b83bc3a4713d36548a3ea6b7c0d3c3dc35f1f)
>     MD5 digest: OK (e9bfa1fc6a4ae90e84851bfd4583ec29)
> ./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm:
>     Header V4 RSA/SHA1 Signature, key ID 5a906f4c: OK
>     Header SHA1 digest: OK (d6925400698be829e08bc5013fd28d2c829a2600)
>     MD5 digest: OK (427f42d79b83e314f741ff73a672c5dc)
>
>
> Host RPM version
> >rpm --version
> RPM version 4.11.2
>
> Yocto RPM version
> >tmp/sysroots/x86_64-linux/usr/bin/rpm --version
> rpm (RPM) 5.4.14
>
> Yocto version: jethro (1a52eceaa5df89914b6a711defdcf0046e74c7f6)
>
> Best regards,
> Dimitri
>

[-- Attachment #2: Type: text/html, Size: 4418 bytes --]