On Mon, Jul 03, 2017 at 12:16:53AM +0200, NicoHood wrote: > On 07/03/2017 12:07 AM, Morten Linderud wrote: > > On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote: > >> Yes the GPG signature of the tag commit is checked. However you can > >> attack the git metadata and set a tag to a different commit. If this > >> commit is signed, but at an older stage which is vulnearable, we have an > >> issue. Just one example. So we should always also secure the transport > >> layer. > >> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias > >> > > > > The sign includes the hash. You would essentially have to trick Lennart > > into replacing the tag to a different commit, > > and sign the tag. Creating a vulnerable but verified source for the > > PKGBUILD. At this point i think we have bigger > > problems then whatever the PKGBUILD is doing... > > > > Thats is exactly what I mean. If I understood right you can modify the > git metadata in a way that you can pull tag 1.2 but get 1.0. And tag 1.0 > is gpg signed and all valid. This seems to work for me. >
But at this point you can't trust critical maintainers of important software. This isn't a threat model i think PKGBUILDs (or Arch for that matter) really cares about. Am i wrong? Or are you implying MITM attacks can trick the packager into packaging broken software? -- Morten Linderud PGP: 9C02FF419FECBE16
signature.asc
Description: PGP signature
